POLICY RESEARCH PAPER Consumer Risks in Fintech New Manifestations of Consumer Risks and Emerging Regulatory Approaches APRIL 2021 DIGITAL PEER- INVESTMENT-BASED MICRO- TO-PEER CROWD- CREDIT LENDING FUNDING E-MONEY FINANCE, COMPETITIVENESS & INNOVATION GLOBAL PRACTICE POLICY RESEARCH PAPER Consumer Risks in Fintech New Manifestations of Consumer Risks and Emerging Regulatory Approaches APRIL 2021 DIGITAL PEER- INVESTMENT-BASED MICRO- TO-PEER CROWD- CREDIT LENDING FUNDING E-MONEY © 2021 International Bank for Reconstruction and Development/The World Bank 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org DISCLAIMER This work is a product of the staff of the World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of the World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of the World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. RIGHTS AND PERMISSIONS The material in this work is subject to copyright. Because the World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: pubrights@worldbank.org. CONTENTS Acknowledgments vii Acronyms and abbreviations viii 1. EXECUTIVE SUMMARY 1 2. INTRODUCTION 12 2.1 The Aims of This Paper 12 2.2 Key Fintech Products Covered in This Paper 14 2.3 How the Paper Is Structured 14 2.4 Areas Outside the Scope of This Paper 15 3. OVERVIEW AND IMPLEMENTATION CONSIDERATIONS 18 3.1 Cross-Cutting Risks and Regulatory Approaches 18 a) Gaps in regulatory perimeter 19 b) Fraud or other misconduct 21 c) Platform/technology unreliability or vulnerability 24 d) Business failure or insolvency 25 e) Consumers not provided with adequate information 26 f) Product is unsuitable for a consumer 33 g) Conflicts of interest and conflicted business models 36 h) Risks from algorithmic decision-making 38 i) Data privacy 39 3.2 Implementation Considerations 40 a) Importance of country context and striking an appropriate balance 40 b) Assessing the market, consumer experiences, and current regulatory framework 41 c) Determining the right regulatory approach 42 d) Effective supervision critical for impact 43 e) Complementary non-regulatory measures 43 4. DIGITAL MICROCREDIT 50 4.1 Introduction 50 a) Scope of chapter 50 b) Key characteristics of digital microcredit 50 c) Benefits and risks of digital microcredit 51 d) Emerging examples of regulatory approaches to address risks 51 e) Summary of risks and regulatory approaches discussed in this chapter 52   iii iv   Consumer Risks in Fintech 4.2 Consumers Not Provided with Adequate Information 52 a) Lack of adequate information 54 b) Poor format of disclosed information 55 c) Timing and flow of disclosed information 57 d) User interfaces 58 4.3 Marketing Practices via Remote Channels 59 a) Risks to consumers 59 b) Regulatory approaches 60 4.4 Unfair Lending 61 a) Risks to consumers 61 b) Regulatory approaches 62 4.5 Algorithmic Scoring 64 a) Risks to consumers 64 b) Regulatory approaches 65 4.6 Gaps in the Regulatory Perimeter 67 a) Risks to consumers 67 b) Regulatory approaches 68 5. PEER-TO-PEER LENDING 74 5.1 Introduction 74 a) What is meant by peer-to-peer lending? 74 b) Importance of effective financial consumer protection for peer-to-peer lending 75 c) Risks for consumers as lenders/investors or as borrowers 76 d) Summary of risks and regulatory approaches discussed in this chapter 76 5.2 Consumer Risks for Both Lenders/Investors and Borrowers 78 a) Gaps in regulatory perimeter 78 b) Fraud or other misconduct 81 c) Platform/technology unreliability or vulnerability 82 d) Business failure or insolvency 83 e) Inadequate credit assessments 85 f) Conflicts of interest between platform operators and lenders/investors or borrowers 86 5.3 Additional Consumer Risks for Lenders/Investors 88 a) Inadequate investment-related information 88 b) Harm due to lenders’/investors’ lack of sophistication or inexperience 94 c) Borrower fraud 97 5.4 Additional Consumer Risks for Borrowers 97 a) Inadequate loan-related information 97 b) Risks from digital provision of P2PL credit 98 6. INVESTMENT-BASED CROWDFUNDING 106 6.1 Introduction 106 a) What is investment-based crowdfunding? 106 b) Framing the risks 106 c) Summary of risks and regulatory approaches discussed in this chapter 107 6.2 Investor Inexperience and Higher-Risk Nature of Investee Companies 108 a) Risks to consumers 108 b) Regulatory approaches 109 6.3 Risks Related to the Nature of Securities Offered on Platforms 112 a) Risks to consumers 112 b) Regulatory approaches 113 6.4 Consumers Not Provided with Adequate Information 115 a) Risks to consumers 115 b) Regulatory approaches 116 Contents  v 6.5 Platform Operator Misconduct or Failure 119 a) Risks to consumers 119 b) Regulatory approaches 119 6.6 Issuer Fraud 122 a) Risks to consumers 122 b) Regulatory approaches 122 7. E-MONEY 128 7.1 Introduction 128 a) The significance of e-money in a consumer and inclusion context 128 b) Relevance of FCP to address e-money consumer risks 129 c) Key definitions 129 d) Risks and approaches 129 e) Summary of risks and regulatory approaches discussed in this chapter 129 7.2 Gaps in the Regulatory Perimeter 131 a) Risks to consumers 131 b) Regulatory approaches 132 7.3 Fraud or Other Misconduct 132 a) Risks to consumers 132 b) Regulatory approaches 133 7.4 E-Money Platform/Technology Vulnerability or Unreliability 136 a) Risks to consumers 136 b) Regulatory approaches 136 7.5 Mistaken Transactions 137 a) Risks to consumers 137 b) Regulatory approaches 137 7.6 Provider Insolvency or Illiquidity 138 a) Risks to consumers 138 b) Regulatory approaches 138 7.7 E-Money not covered by deposit insurance schemes 139 a) Risks to consumers 139 b) Regulatory approaches 140 7.8 E-Money Not Redeemable for Face Value 140 a) Risks to consumers 140 b) Regulatory approaches 140 7.9 Consumers Not Provided with Adequate Information 140 a) Key product information not disclosed upfront 140 b) Inadequate ongoing information 142 c) Inability to retain information 143 d) Disclosure format risks in a digital context 143 e) Misleading marketing 143 7.10 Unsuitable E-Money Products 144 a) Risks to consumers 144 b) Regulatory approaches 144 REFERENCES 149 Legislation, Binding Rules, and Guidance 149 Other Sources 151 vi   Consumer Risks in Fintech TABLES Table 1: Consumer Risks and Regulatory Approaches by Fintech Product 4 Table 2: Fintech Products Discussed in This Paper 14 Table 3: Consumer Risks and Regulatory Approaches: Digital Microcredit 53 Table 4: Consumer Risks and Regulatory Approaches: Peer-to-Peer Lending 76 Table 5: Consumer Risks and Regulatory Approaches: Investment-Based Crowdfunding 108 Table 6: Consumer Risks and Regulatory Approaches: E-Money 130 ACKNOWLEDGMENTS This Policy Research Paper is a product of the Financial Inclusion and Consumer Protection Team within the Financial Inclusion, Infrastructure & Access Unit of the World Bank Group’s (WBG) Finance, Competitiveness & Innovation Global Practice. This paper was prepared by Gian Boeddu, Jennifer Chien, and Ivor Istuk (Senior Financial Sector Specialists, WBG) and Ros Grady (Consultant, WBG), with valuable research and drafting assistance from Arpita Sarkar (Consultant, WBG). Mahesh Uttamchandani (Practice Manager, WBG) provided overall guidance. The team is grateful for valuable comments received from the following WBG staff members: Sharmista Appaya (Senior Financial Sector Specialist), Patricia Caraballo (Senior Financial Sector Specialist), Ana Fiorella Carvajal (Lead Financial Sector Specialist), Julian Casal (Senior Financial Sector Specialist), Isaku Endo (Senior Financial Sector Specialist), Harish Natarajan (Lead Financial Sector Specialist), and Luz Maria Salamina (Principal Operations Officer); and from the following external reviewers: the Consultative Group to Assist the Poor (CGAP), the International Financial Consumer Protection Organisation (FinCoNet), the G20/OECD Task Force on Financial Consumer Protection (G20 Task Force), Professor Katja Langenbucher, and Alexandra Rizzi (Center for Financial Inclusion). The team also gratefully acknowledges editorial assistance provided by Charles Hagner and design and layout assistance provided by Debra Naylor of Naylor Design, Inc. Finally, the team gratefully acknowledges the generous financial support of the Ministry of Foreign Affairs of the Kingdom of the Netherlands and the Bill & Melinda Gates Foundation under the Financial Inclusion Support Framework (FISF) program, without which preparation of this paper would not have been possible.   vii ACRONYMS AND ABBREVIATIONS AFPI Indonesian Joint Funding Fintech Association AI artificial intelligence AML/CFT anti-money laundering/countering the financing of terrorism APR annual percentage rate ASIC Australian Securities and Investments Commission BdP Banco de Portugal BIS Bank for International Settlements BNM Bank Negara Malaysia CAK Competition Authority of Kenya CBIRC China Banking and Insurance Regulatory Commission CGAP Consultative Group to Assist the Poor CONDUSEF National Commission for the Protection and Defense of Users of Financial Services (Mexico) DFSA Dubai Financial Services Authority EBA European Banking Authority FCA Financial Conduct Authority (UK) FCP financial consumer protection FinCoNet International Financial Consumer Protection Organisation FSP financial service provider G20 Task Force G20/OECD Task Force on Financial Consumer Protection GDPR Regulation 2016/679—General Data Protection Regulation (EU) GSMA GSM Association ICCR International Committee on Credit Reporting IMF International Monetary Fund viii KFS key facts statement MiFID Directive 2014/65/EU—Markets in Financial Instruments Directive (EU) MNO mobile network operator NBFC non-banking financial company OJK Otoritas Jasa Keuangan (Financial Services Authority, Indonesia) P2P peer-to-peer P2PL peer-to-peer lending PSD2 Directive 2015/2366 on Payment Services (EU) RBI Reserve Bank of India SEC Securities and Exchange Commission (USA) T&C terms and conditions TCC total cost of credit TILA Truth In Lending Act (USA) USSD Unstructured Supplementary Service Data WBG World Bank Group All dollar amounts are US dollars unless otherwise indicated. 1 EXECUTIVE SUMMARY Fintech1 is increasingly recognized as a key enabler for Similarly, while there has been significant uptake of elec- financial sectors worldwide, enabling more efficient tronic money (e-money) in many developing markets, the and competitive financial markets while expanding rise in usage has been accompanied by a rise in a variety access to finance for traditionally underserved con- of risks for consumers, including potential loss of funds sumers. As noted in the Bali Fintech Agenda2 launched due to fraud and unscrupulous fee-charging practices. in October 2018 by the WBG and International Monetary Such negative experiences, in addition to causing direct Fund (IMF), fintech can support economic growth and harm to consumers, may also lead to greater mistrust of poverty reduction by strengthening financial develop- fintech and the financial sector overall. ment, inclusion, and efficiency. The critical challenge for policy makers is to harness the benefits and opportunities The COVID-19 pandemic has further accelerated the of fintech while managing its inherent risks. widespread transition of consumers to digital finan- cial services and fintech, highlighting their significant Along with its benefits, fintech also poses a range of benefits while also demonstrating how risks to con- risks to consumers that need to be mitigated in order sumers can increase in times of crisis and economic for fintech to truly benefit consumers. Some of these stress. For example, reports from Indonesia indicate that risks are new, but many represent new manifestations of individual lenders/investors are currently being adversely existing risks resulting not only from the technology sup- affected by risky loans made through P2PL platforms, porting and enabling fintech offerings but also from new as are borrowers who obtained such loans but are now or changed business models, product features, and pro- struggling to have lenders/investors agree to restructure vider types, as well as greater accessibility for consum- them.6 Significant numbers of low-income consumers are ers to sometimes unfamiliar or more complex financial facing increasing difficulty in repaying existing debts due products.3 For example, a rapid expansion of the peer- to the pandemic.7 Small enterprises have been severely to-peer lending (P2PL) market in China in the first half of affected by widespread closures and safety measures the 2010s was followed by significant platform collapses designed to slow the spread of COVID-19, decreasing and incidents of fraud and platform operator misconduct the enterprises’ profitability and impeding their ability to that caused significant losses to consumers.4 While digital honor repayment obligations.8 This in turn exposes their microcredit has expanded access to credit in some devel- investors to increased risk of loss from their investments. oping countries, countries such as Tanzania and Kenya In addition, significant increases in fraudulent app-based have seen large numbers of borrowers who are unable to digital microcredit lenders have been observed during repay their loans due to irresponsible lending practices.5 lockdowns related to COVID-19.9   1 2   Consumer Risks in Fintech Authorities responsible for financial consumer protec- misconduct, including charging of unauthorized fees, tion (FCP) are increasingly faced with the challenge of splitting transactions to earn more commissions and developing or adapting regulation to address risks to “skimming” into agent accounts. Regulatory approach- consumers generated by fintech. The task of regula- es to address such risks include vetting of fintech enti- tors in developing countries is even more difficult if they ties during the authorization stage; risk management are attempting to tackle this new challenge while having and governance obligations for platform operators; to implement a baseline FCP regulatory framework10 at imposing clear responsibility and liability on provid- the same time. In a recent survey, regulators identified ers for the conduct of persons acting on their behalf; their limited internal technical expertise as the foremost placing targeted obligations on platform operators to impediment to regulating and supervising “alternative safeguard consumers’ interests regardless of business finance” (such as P2PL and equity crowdfunding) effec- model (such as requiring P2PL platform operators to tively.11 This paper is intended to contribute to regulators’ undertake creditworthiness assessments even if they efforts to bridge the gaps in expertise and knowledge are not themselves the lender); warnings and provision regarding emerging fintech products and their attendant of other key disclosures to consumers regarding the FCP issues. risks associated with fintech products; and segregation of client funds. This paper aims (1) to identify significant new mani- • Certain characteristics of fintech business models festations of consumer risks posed by four key fintech can lead to conflicts of interests between consum- products (digital microcredit, P2PL, investment-based ers and fintech entities. For example, lending models crowdfunding, and e-money)12 and (2) to provide heavily dependent on fees generated by new business examples of regulatory approaches emerging interna- can give rise to perverse incentives for fintech enti- tionally that regulators can consider when developing ties to act in a manner inconsistent with the interests regulatory policy to target such risks. Examples of reg- of their consumers, such as P2PL platforms or digital ulatory approaches are drawn from country examples and microcredit providers focusing on loan quantity over international literature. quality to maximize fee-related returns. Such risks can be exacerbated in markets where fintech entities are The primary focus of this paper is informing authorities’ attempting to grow their revenues and size quickly. development of regulatory policy. It is hoped, however, Potentially harmful conflicts can also arise where fin- that the discussion of manifestations of consumer risks in a tech entities are empowered to make key decisions fintech context can also assist authorities with related key affecting the risk of loss, but where that risk is borne by areas, such as market conduct supervision. consumers—such as a P2PL or crowdfunding platform operator assisting with loan or investment selection Key types of consumer risks and corresponding regu- and performing inadequate due diligence on these. latory approaches discussed in this paper include the Corresponding regulatory approaches include plac- following: ing positive obligations on fintech entities to manage • Factors such as the novelty and opaqueness of fin- and mitigate conflicts of interest, to act in accordance tech business models, fintech entities’ responsibil- with the best interests of their consumers, to undertake ities in the context of those business models, and adequate assessments regardless of business model, lack of consumer familiarity with and understand- and to prohibit certain business arrangements that ing of new offerings can lead to heightened risks encourage conflicted behavior. of fraud or misconduct by fintech entities or third • Consumers may face a heightened risk of adverse parties. Platform finance (P2PL and investment-based impacts due to platform or technology unreliability crowdfunding) poses risks to consumers as both lend- or vulnerability. Consumers may be more vulnerable ers/investors and borrowers. Lenders/investors may to cyber fraud when acquiring fintech products than face loss due to conduct perpetrated by platform when accessing financial products through more tra- operators or related parties, such as fraudulent lend- ditional channels because interaction with providers ing or investment opportunities, misappropriation of is largely or exclusively via digital and remote means. funds, or facilitation of imprudent lending or invest- Platform or other technology malfunctions can have ment to generate fee revenue for the operator to the adverse impacts on consumers ranging from incon- detriment of consumers who ultimately bear potential venience and poor service to monetary loss and loss losses. Consumers borrowing from such platforms of data integrity, the risk of which may be increased may similarly suffer harm from the resulting imprudent due to heavier reliance on automated processing of lending. Holders of e-money face risks related to agent transactions. Regulatory approaches to address such Executive Summary   3 risks include specific obligations on fintech entities to has positive implications for financial inclusion but can address technology and systems-related risks and risks present enhanced risks for ordinary consumers new to associated with outsourcing. assessing more complex opportunities. Potential reg- ulatory approaches include setting limits on individual • Some fintech entities may be at greater risk of busi- investments, such as overall caps on how much an ness failure or insolvency than established financial individual may borrow through a P2PL platform or how service providers (FSPs) due to inexperience, untest- much money a company can raise on a crowdfunding ed businesses, and market factors affecting long- platform, or limitations on specific types of investors or term viability. This can lead to consumers whose exposures; targeted warnings to potential investors; funds are held or administered by a fintech entity fac- requiring consumers to confirm that they understand ing correspondingly greater risk of loss if the provider the risks they are undertaking; and cooling-off periods. becomes insolvent or their business ceases to operate. Risks may also arise with respect to digital microcredit Consumers may risk losing their committed loan princi- products being offered to consumers that are unsuit- pal or investment funds, or repayments or investment able and unaffordable for such consumers. Regulatory returns owed them, that are being held or adminis- approaches include requiring effective creditworthiness tered by a P2PL or crowdfunding platform whose oper- assessments and applying product design and gover- ator becomes insolvent or fails. Insolvency of e-money nance principles, particularly where automated credit issuers or banks holding an e-money float similarly puts scoring is utilized. client funds at risk, especially where there is no deposit insurance. Regulatory approaches to address such risks • Use of algorithms for consumer-related decisions include requirements for client funds to be segregated is becoming particularly prevalent in highly auto- from other funds held by a fintech entity and requiring mated fintech business models. Consumers may face that fintech entities have in place business continuity a range of risks as a result, such as discriminatory or and resolution arrangements. biased outcomes. Emerging approaches in this con- text include applying fair treatment and anti-discrimi- • The digital environment poses inherent challenges nation obligations to algorithmic processes; putting in to disclosure and transparency, amplified by the place governance frameworks that require procedures, novelty of fintech product offerings and consumers’ controls, and safeguards on the development, test- lack of experience with such products. Information ing, and deployment of algorithms to ensure fairness; provided via digital channels may not be appropriately auditing requirements; and providing consumers with formatted to assist in understanding or retention by rights regarding how they or their information may be consumers. Poor design of user interfaces may hamper subjected to algorithmic decision-making. consumer comprehension or exploit behavioral biases by concealing or underplaying “negative” aspects Table 1 summarizes new manifestations of consumer such as risks and costs. Fintech can also give consum- risks and corresponding regulatory approaches for ers access to products, such as P2PL or crowdfunding each fintech product discussed in this paper. While investment opportunities, to which they may previously many of these risks cut across the fintech landscape, they have had limited or no exposure, making clear, under- may manifest differently in the context of different fintech standable information even more essential for good products. decision-making. Approaches to address such issues include requirements to disclose key information in a In terms of implementation, it is not the intent of consistent and clear format, on a timely basis, and in a this paper to suggest that all risk mitigants discussed manner that can be retained by consumers. Behavioral herein be implemented. For any regulator contemplating insights can also be utilized to disclose information via implementing the kinds of regulatory measures discussed digital channels in a manner that aims to increase the in this paper, it will be important to prioritize and take a likelihood of consumer comprehension. risk-based approach, to tailor regulatory approaches to • Consumers face potentially heightened risks when country context, and to balance the need for consumer acquiring fintech products due to their lack of sophis- protection with the resulting impact on industry and mar- tication or inexperience. Due to the development of ket development and innovation. It would not necessarily fintech, consumers increasingly have access to novel be advisable for a country to implement all of the reg- and complex financial products, but they may lack the ulatory measures discussed in this paper immediately or knowledge or experience to assess or use these prod- to transplant approaches from other jurisdictions without ucts properly. For example, platform finance enables adjustment. This paper also summarizes a range of key more individuals to act as investors and lenders; this implementation matters for regulators to consider. 4   Consumer Risks in Fintech TABLE 1: Consumer Risks and Regulatory Approaches by Fintech Product RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE Digital Microcredit (Chapter 4) Disclosure and transparency • Require prominent disclosure of both total cost metrics and clear 54 breakdown of costs Content of disclosure • Require disclosure of key T&C in channel being used for transaction • Information about pricing is incomplete and not transparent (for example, range of different methods • Indicate specific T&C that must be disclosed in transaction channel used to convey pricing, finance charges not disclosed • Require access to full T&C, including after transaction completed separately from principal and fees for third-party charges not disclosed) • Inadequate access to complete information about terms and conditions (T&C)—for example, links to full T&C provided at separate location Format of disclosure • Encourage greater standardization in presentation of fees/pricing 55 • Lack of standardized format for costs • Require plain language without technical jargon or graphical • Information conveyed via mobile phones in a format elements affecting readability or manner that does not facilitate comprehension • Require standardized presentation of information adapted for • Consumers may not be able to retain information digital channels (for example, bite-sized chunks of info provided in consistent manner) • Provide secondary layers of information for further details • Provide offline channels to obtain further info and assistance as well as the ability to access info for future reference Timing and flow of information • Require order and flow of info to enhance transparency and 57 • Key information such as pricing provided after comprehension, providing an intuitive “digital journey” through a completion of a transaction transaction process • Less appealing information may be de-emphasized • Require disclosure of pricing and key T&C earlier in transaction process • Leverage behavioral insights to encourage consumers to engage with info (for example, require confirmation to move to next stage of transaction) User interfaces • Require user interface be user-friendly and easy to navigate, 58 • User interface may not be user-friendly, with complex including on low-end mobile devices menus that are difficult to navigate • Encourage consumer testing of user interfaces • Require providers to provide guidance to consumers on user interfaces Marketing practices via remote channels • Require explicit warnings on risks of short-term, high-cost credit, and 59 • Push marketing and unsolicited offers encourage information on alternatives to such loans and helpful resources impulse borrowing • Ban sales practices that focus on ease of obtaining credit, trivialize • Exploitation of behavioral biases (for example, credit, or target vulnerable consumers encouraging borrowing of maximum amount possible, • Slow down process of transacting digitally to allow consumers more trivializing loans) time for reflection and deliberation (for example, intermediate steps/ • Misleading ads targeting vulnerable consumers (for screens, adding a review screen) or appropriate cooling-off period example, emphasizing benefits, hiding risks, unrealistic • Require loan options be presented in manner that is beneficial (or offers with hidden conditions, marketing on weekend at least neutral) to consumers and not exploitative (for example, evenings) banning default selection of maximum loan size, pre-ticked boxes • Remote nature of digital channels and rapid speed of which lead customers to sub-optimal options) transactions increase consumer vulnerability Executive Summary   5 TABLE 1, continued RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE Unfair lending • Require providers to assess the ability of prospective customers 61 • High prices for digital microcredit to repay loans and grant loans only where they are affordable to potential borrowers • Mass marketing to consumers with little assessment of individual consumer circumstances or ability to repay • Impose requirements that limit rollovers and multiple borrowing to (“lend-to-learn” model) decrease risk of over-indebtedness • Certain business models based on high loss rates (for • Require enhanced monitoring of loan portfolios, particularly where example, large late fees relative to size of loan) automated credit scoring is utilized • Poor practices such as rolling over loans or • Apply product design and governance rules to digital microcredit, encouraging multiple borrowing including designing processes and customer acquisition plans to ensure that potential harms and risks to consumers are considered • Abusive debt collection practices utilizing mobile and mitigated phone and social media data to contact relatives, friends, and colleagues • Adapt debt collection rules to prevent abusive debt collection practices utilized by digital lenders Algorithmic scoring • Apply fair treatment and anti-discrimination rules to algorithms 64 • Biased outcomes due to poor algorithm design, • Require appropriate procedures, controls, and safeguards during incomplete or unrepresentative input data, biased development, testing, and deployment of algorithms to assess and input data manage risks related to bias and discrimination • Discrimination based on proxies reflecting sensitive • Require regular auditing of algorithmic systems by external experts attributes • Ensure transparency to consumers regarding use of algorithms • Consumers unaware or powerless regarding use of • Provide consumers with right not to be subject solely to automatic algorithm processing and the right to request human intervention • Regulators lack technical expertise to evaluate algorithmic systems; proprietary nature of algorithms Regulatory perimeter • Ideally, establish activity-based framework covering all providers 67 • Unlevel playing field for different types of providers, of digital microcredit (banks, mobile network operators, non-bank with often weaker rules for non-bank lenders lenders) • Regulatory gaps for app-based lenders, who may not • Where activity-based approach is not feasible, be opportunistic and be covered by any regulatory authority and/or may be build off of existing rules and power to cover non-bank microcredit based in another country providers • Coordinate with domestic and international regulatory authorities • Consider regulating domestic agents and intermediaries of foreign fintech companies • Pursue complementary, non-regulatory measures, including industry codes of conduct and working with mobile platforms to establish and enforce rules in key areas for app-based lenders • To address gaps in the coverage of cross-border fintech activities, consider range of measures—including applying a country’s FCP requirements (and regulators’ mandates) to fintech providers dealing with consumers in that country, regardless of where the providers are based. Also consider supporting coordination and cooperation between authorities to assist with enforcement of relevant requirements Peer-to-Peer Lending (Chapter 5) Risks for both lenders/investors and borrowers Gaps in regulatory perimeter: P2PL is not adequately • Apply FCP requirements on an activities basis (lending and 78 covered by a country’s FCP regime, and borrowers and investment-related services), rather than by institution type lenders/investors receive even less protection than • Extend existing FCP requirements to P2PL and, where necessary, applies to traditional lending introduce additional FCP rules for P2PL • Issue regulatory guidance to address uncertainty regarding the application of existing FCP requirements to P2PL (Also, see approaches for addressing cross-border risks summarized above in the context of digital microcredit) 6   Consumer Risks in Fintech TABLE 1, continued RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE Fraud or other misconduct: Fraud or other misconduct • Impose licensing/registration and vetting and competence 81 by P2PL platform operators, related parties, or third par- requirements on operators and related parties ties • Require operators to have in place adequate risk management and governance arrangements • Require operators to segregate consumers’ funds and deal with them only in prescribed ways • Consider compensation funds (Also, see below for approaches to address platform/technology vulnerability risks that may facilitate fraud) Platform/technology unreliability or vulnerability: Plat- • Require operators to have in place adequate risk management and 82 form/technology unreliability or vulnerability that causes governance arrangements or facilitates loss, inconvenience, or other harms • Require operators to comply with targeted risk management and operational reliability requirements, including for technology-related risks and outsourcing • Impose specific competence requirements on operators in relation to matters such as information technology–related risk Business failure or insolvency: Business failure or insol- • Require operators to segregate consumers’ funds, hold them with an 83 vency of operator, causing loss, such as of lenders’/ appropriately regulated entity, and deal with them only in prescribed investors’ capital or future income on loans or borrowers’ ways committed loan funds or repayments • Require operators to have in place business continuity and hand- over/resolution arrangements • Require operators to comply with record-keeping requirements to support business continuity arrangements • Impose vetting and competence requirements on operators and related parties Inadequate credit assessments: Inadequate credit • Impose creditworthiness assessment requirements on operators 85 assessments, increasing the risk of losses from borrower regardless of whether they are the lender of record defaults for lenders/investors and over-indebtedness for borrowers Conflicts of interest: Conflicts of interest between plat- • Impose general conflict mitigation obligations on operators 86 form operators (or their related parties) and lenders/ • Require operators to comply with duties to act in consumers’ best investors or borrowers, leading to operators and related interests parties to engage in conduct not in the interests of their • Require operators to meet obligations regarding fair loan pricing and consumers: fees and charges-setting policies consistent with consumers’ interests • Conflicts of interest leading to imprudent lending • Place restrictions or prohibitions on operators or their associates assessments by operators investing in loans facilitated by their platforms • Conflicts of interest leading to unfair or inappropriate • Impose creditworthiness assessment requirements on operators loan pricing regardless of whether they are the lender of record • Conflicts of interest from intra-platform arrangements causing operators to engage in conduct favoring related parties over consumers Executive Summary   7 TABLE 1, continued RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE Additional risks for lenders/investors Inadequate investment-related information: Lenders/ 88 Investors are not provided with adequate investment- related information, including: • Inadequate up-front information when considering or • Require platform operators to provide/make available to consumers making investments/loans ahead of any transaction information highlighting key matters relating to P2PL, such as expected risks, factors affecting returns, and restrictions on early exit • Require platform operators to provide key precontractual information about individual loans to prospective lenders/investors in business models allowing individual loan selection • Mandate warnings or disclaimers in key contexts to highlight risks for consumers and assist in balancing out inappropriately optimistic perceptions • Information being provided in an inadequate format • Require platform operators to give key information appropriate prominence on electronic channels • Require key information to be provided in a standardized format to assist clarity and comparability (Also, see approaches for risks from digital disclosure summarized above in the context of digital microcredit) • Unbalanced or misleading marketing regarding P2PL • Require platform operators to comply with general prohibitions investment/lending opportunities against providing misleading information (and, when necessary, clarify via more specific regulatory guidance the application of such prohibitions to marketing of P2PL opportunities) • Impose targeted restrictions on specific P2PL circumstances presenting higher risk of misleading investors • Inadequate ongoing information about the • Require platform operators to provide ongoing information to performance and status of their investments/loans lenders/investors at prescribed times or frequencies regarding matters affecting their investments/loans specifically, such as defaults and changes to borrowers’ circumstances, or more generally, such as performance of the operator and adverse events Harm due to lenders’/investors’ lack of sophistication • Impose lending/investment caps on less sophisticated or more 94 or inexperience: Such as taking on risk of loss they vulnerable lenders/investors (jurisdictions have done so on a variety cannot afford or do not understand of bases) • Impose caps on the amount that individual borrowers may borrow through P2PL platforms as another way to reduce risk of loss to lenders/investors • Consider compensation funds Borrower fraud: Loss for lenders/investors due to • Require platform operators to comply with risk management 97 borrower fraud requirements referred to above, as well as targeted requirements such as to obtain appropriate identification information and implement measures against fraudulent access to their platform (know your customer requirements under anti-money laundering and countering the financing of terrorism laws would also be relevant) • Impose creditworthiness assessment requirements on platform operators regardless of whether they are the lender of record Additional risks for borrowers Inadequate loan-related information • Extend application of existing traditional credit disclosure 97 requirements to platform operators even when they are not the lender of record • Address gaps in existing borrower disclosure regimes by developing requirements specific to P2PL (Also, see approaches for risks relating to credit disclosure summarized above in the context of digital microcredit) 8   Consumer Risks in Fintech TABLE 1, continued RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE Risks from digital distribution of P2PL credit: Risks aris- See approaches summarized above in the context of digital microcredit 98 ing from digital distribution of credit summarized above in the context of digital microcredit can also affect digital distribution of P2P loans to borrowers Investment-Based Crowdfunding (Chapter 6) Investor inexperience and higher-risk nature of • Require risk warnings and disclosures about key aspects of 108 investee companies crowdfunding • Small business and start-up investee companies may • Impose issuer caps—limitations on the size of an issue constitute a riskier investment for retail investors • Impose investor caps—limitations on individual investments/ • Investors are often unlikely to possess sufficient exposures knowledge or experience, or have access to financial • Require investor-suitability assessments to be undertaken by platform advice, to assess offers operators • Investees may have majority shareholder and • Establish cooling-off periods for investors management arrangements that present risks for minority shareholders such as external crowdfunding investors Risks related to the nature of securities offered on • Prescribe disclosure requirements focused on emphasizing the illiquid 112 crowdfunding platforms nature of issued securities • Securities rarely traded on any kind of organized • Restrict the types of securities that can be issued market and may have limitations on transferability— • Impose targeted product intervention investors may not understand or be able to deal with • Require targeted warnings risk of being unable to exit their investment • Introduce rules facilitating information exchanges and secondary • Creation of complex hybrid securities by incorporating trading rights and restrictions for security holders to match issuer’s needs Consumers are not provided with adequate • Introduce investment-related disclosure requirements 115 information • Introduce regulation of bulletin boards and crowdfunding trading • Crowdfunding issuers often tend to be small facilities (including secondary market) to assist information accuracy businesses or in their start-up phase with a limited • Apply fair marketing rules to investment-based crowdfunding track record, limiting the availability of information activities • High separation between ownership by crowdfunding investors and parties that control issuers—potential lack of information provided to crowdfunding investors • Retail investors in crowdfunding securities are also at risk of misleading marketing practices, potentially exacerbated as a result of issuers being new to making public offers Platform operator misconduct or failure • Introduce authorization and vetting requirements 119 • Platform operators and related parties may engage • Require business-/service-continuity arrangements in misconduct under a range of circumstances that • Require segregation of client funds affect investors, from outright fraud to incompetent • Impose rules and require policies for mitigating conflicts of interest administration to undertaking unfair conflicted • Apply risk management requirements of the kinds summarized above behavior in the context of P2PL • Failure of a platform can leave investors without services essential to the continued integrity of their investment Issuer fraud: Consumers investing on crowdfunding plat- • Require platform operators to undertake due diligence 122 forms may suffer losses due to issuer fraud, such as sham offers or concealing or providing misleading information Executive Summary   9 TABLE 1, continued RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE E-Money (Chapter 7) Gaps in regulatory perimeter: Current requirements may • Allow e-money activities to be undertaken only by licensed entities 131 not apply to all entities offering e-money products, and (that may include non-banks) even if the licensing rules are activities based, consumer • Ensure consumer protection rules also apply on an activities basis to protection rules may not apply to e-money as a product providers of e-money given innovative differences. • Ensure that e-money is covered by any relevant definition of financial product or service Fraud or other misconduct resulting in consumer • Impose licensing/registration and vetting and competence 132 loss requirements on providers and related parties • Fraud or misconduct by issuers or related parties, • Impose rules specifically for agents, including requirements for agent including agents due diligence, requirements for agency agreements, requirements for • Fraud by third parties agents to be trained and monitored, and clear provider responsibility and liability for agent conduct • Require operators to have in place adequate risk management and governance arrangements • Mandate transaction-authentication standards and require transaction-specific fraud-prevention methods to be applied—for example, limits on transaction attempts • Limit consumers’ liability for an unauthorized transaction, except, for example, in case of fraud or gross negligence by the consumer • Require warnings and information about security risks to be provided to consumers • Require consumers to advise providers of matters relevant to potential fraud, such as lost or stolen devices or security credentials • Place the burden of proof on providers to show transactions were unauthorized • Require reporting of large-scale fraud/security breaches • Prohibit agents from charging unauthorized fees (Also, see below for approaches to deal with platform/technology vulnerability risks that may facilitate fraud) • Conflicts between interests of providers or agents and • Impose conflict mitigation obligations on providers to avoid conduct consumers (such as perverse incentive arrange- to their advantage inconsistent with consumers’ interests, or ments for agents), leading to consumer harms equivalent conduct engaged in by agents E-money platform/technology vulnerability or unreli- • Mandate technology risk and cybersecurity-management 136 ability: Platform/technology unreliability or vulnerability requirements that causes or facilitates loss, inconvenience, or other • Place obligations on operators to ensure appropriate/minimum levels harms of operational reliability • Require notice to users of anticipated/actual service interruptions • Make a payer institution liable for transactions not being completed as instructed Mistaken transactions: A consumer’s funds are misdi- • Require a mechanism that enables the consumer to view transaction 137 rected to an incorrect account/recipient as a result of details before transaction completion error, rather than fraud • Require providers to explain how to stop transfers  • Require FSPs involved in a transaction to assist in resolving mistakes • Place the burden of proof on providers to show a transaction was authenticated and recorded accurately Provider insolvency or liquidity risks • Require an e-money issuer to isolate and ring-fence funds equal to 138 • A provider may become insolvent with insufficient e-money balances outstanding funds to meet the demands of e-money holders • Limit activities e-money issuers can carry out to minimize insolvency • E-money may also not be covered by deposit risk insurance schemes • Mandate initial and ongoing capital requirements • A provider or their agents may not have enough liquid • Require issuers to maintain sufficient liquidity and to ensure agents funds to meet consumer demand, such as for cash-out have sufficient liquidity to honor cash-out obligations transactions 10   Consumer Risks in Fintech TABLE 1, continued RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE E-money not covered by deposit insurance schemes: • Deposit insurance may be extended to e-money balances or to 139 E-money balances may not have the benefit of deposit custodial accounts holding the e-money float depending on availability insurance that applies to traditional accounts, in the event of scheme in the country. An alternative policy approach is to exclude of insolvency of either the e-money issuer or a custodial e-money balances from deposit insurance schemes. (The arguments for institution holding an e-money float (such as a bank hold- and against each of these options are beyond the scope of this paper ing a trust account) but are covered in other publications referenced later in the paper) E-money not permitted to be redeemed for face value: • Require funds to be redeemed at face/par/equivalent value 140 Providers may seek to apply a discount beyond transac- tion-processing fees Consumers are not provided with adequate Information 140 • Key product information is not disclosed/available up • Require compliance with general transparency and/or disclosure front to consumers • Require public up-front disclosure of T&C and fees and charges through all applicable channels, as well as provision of written agreements at contracting stage • Require consumers to be given notice of changes • Require standard form agreement to be lodged with regulator • Inadequate ongoing information, such as about • Require written notice of changes to be provided to consumers ongoing transactions, changes to the product, or • Require transaction receipts to be issued product suspension or withdrawal • Require periodic statements to be issued and/or that consumers be able to access details of previous transactions • Disclosed information cannot be easily retained by a • Require information to be in a form the customer can access and consumer keep for future reference • Disclosure format risks in a digital context • See approaches for equivalent risks summarized above in the context of digital disclosure for digital microcredit • Misleading marketing • Prohibit misleading marketing in relation to e-money account • Require disclosure of provider’s details in marketing materials to assist with recourse • Impose specific rules—for example, making risk statements prominent Unsuitable e-money products: E-money products may • Require providers to design and distribute e-money products to 144 not be designed to be suitable for the consumer seg- meet the needs and capabilities of users in their target market ments they are marketed to, particularly some previously • Impose individual suitability assessment requirements unserved or underserved consumers NOTES 1 For the purposes of this paper, fintech refers to advances in technology that have the potential to transform the provision of financial services spurring the development of new business models, applications, processes, and products. See World Bank Group and International Monetary Fund, Bali Fintech Agenda, 12. 2 World Bank Group and International Monetary Fund, Bali Fintech Agenda. 3 For an overview of risks and benefits in a digital financial services context, see G20/OECD Task Force on Financial Consumer Protection, Financial Consumer Protection Policy Approaches, 12–14. 4 See, for example, Duoguang, “Growing with Pain,” 42; Owens, “Responsible Digital Credit,” 8–9; Huang, “Online P2P Lend- ing,” 77; Hornby and Zhang, “China’s Middle Class.” 5 For example, a 2017 MicroSave study found that 2.7 million Kenyans were blacklisted in credit reference bureaus in the past three years, 400,000 of these for amounts of less than $2. See MicroSave, “Where Credit Is Due.” 6 See, for example, Faridi, “P2P Fintech Lending Sector in Indonesia.” 7 For example, 76 percent, 80 percent, and 89 percent of low-income survey respondents in Ghana, India, and Kenya, respec- tively, indicated they were late in making loan repayments since the pandemic began. See BFA Global, “Dipstick Surveys.” 8 See, for example, Gibbens, “Helping Small Businesses.” 9 https://www.centerforfinancialinclusion.org/combating-the-rise-in-fraudulent-fintech-apps 10 For an overview of key elements of a FCP regulatory framework (as an element of a broader legal and supervisory framework for FCP), see, for example, World Bank Group, Good Practices, 14, 68, 102, and 140. 11 World Bank Group and CCAF, Regulating Alternative Finance, 63. 12 Selected as examples of fintech offerings that may address some of the most basic needs of first-time, and thus inexperienced, financial consumers—namely, making payments, borrowing, or saving or investing money—as well as representing different stages in the development of fintech product offerings and corresponding regulatory and policy frameworks that surround them. See section 2.2 below for definitions of these terms as used in the paper. INTRODUCTION 2 INTRODUCTION 2.1 THE AIMS OF THIS PAPER or changed business models, product features, and pro- vider types, as well as greater accessibility for consumers Within the broader digital financial services space, the to sometimes unfamiliar or more complex financial prod- umbrella term fintech (financial technology) represents ucts.16 For example, a rapid expansion of the P2PL market particularly novel product or service offerings leverag- in China in the first half of the 2010s was followed by sig- ing technology. While there is no universally accepted nificant platform collapses and incidents of fraud and plat- definition of fintech, a broad interpretation recently pos- form operator misconduct that caused significant losses ited by the WBG and IMF describes fintech as advances in to consumers.17 While digital microcredit has expanded technology that have the potential to transform the provi- access to credit in some developing countries, countries sion of financial services, spurring the development of new such as Tanzania and Kenya have seen large numbers of business models, applications, processes, and products.13 borrowers who are unable to repay their loans.18 Simi- larly, while there has been significant uptake of electronic Fintech is increasingly recognized as a key enabler for money (e-money) in many developing markets, the rise financial sectors worldwide, enabling more efficient in usage has been accompanied by a rise in a variety of and competitive financial markets while expanding risks for consumers, including potential loss of funds due access to finance for traditionally underserved consum- to fraud and unscrupulous fee-charging practices. ers. In October 2018, the WBG and IMF launched the Bali Fintech Agenda, a set of 12 policy elements aimed The COVID-19 pandemic has further accelerated the at helping countries harness the benefits and opportuni- widespread transition of consumers to digital financial ties of fintech while managing its inherent risks.14 As noted services and fintech, highlighting their significant ben- in the Bali Fintech Agenda, fintech can support potential efits while also demonstrating how risks to consumers growth and poverty reduction by strengthening financial can increase in times of crisis and economic stress. For development, inclusion, and efficiency. Recent analysis by example, reports from Indonesia indicate that individual the IMF also points to the potential for digital finance to lenders/investors are currently being adversely affected assist in mitigating economic impacts of the COVID-19 by risky loans made through P2PL platforms, as are bor- pandemic.15 rowers who obtained such loans but are now struggling to have lenders/investors agree to restructure them.19 Along with its benefits, fintech also poses a range of Significant numbers of low-income consumers are facing risks to consumers that need to be mitigated in order increasing difficulty in repaying existing debts due to the for fintech to truly benefit consumers. Some of these pandemic.20 Small enterprises have been severely affected risks are new, but many represent new manifestations of by widespread closures and safety measures designed existing risks resulting not only from the technology sup- to slow the spread of COVID-19, decreasing their busi- porting and enabling fintech offerings but also from new nesses’ profitability and impeding their ability to honor 12 Introduction    13 repayment obligations.21 This in turn exposes their inves- of regulatory approaches are drawn from country exam- tors to increased risk of loss from their investments. The ples and international literature. The primary focus of this COVID-19 pandemic has also increased the demand for paper is on informing authorities’ development of reg- digital payment services such as e-money in preference ulatory policy—that is, FCP rules. It is hoped, however, to using cash. Reasons for this include the impact of lock- that the discussion on manifestations of consumer risks downs on both consumers and merchants; the dissemi- in a fintech context that need to be understood for the nation of emergency relief, welfare payments, and other purposes of formulating regulatory policy can also assist forms of welfare support via digital platforms; reductions authorities with key related areas, such as market conduct in fees for payment services; a disinclination to use cash supervision. because of the perceived risk of virus transmission via paper money; and central banks’ encouragement of con- This paper is not intended to cover all consumer risks sumers to use digital payment services, and merchants to and corresponding regulatory approaches common accept them.22 With the increased momentum for digital to traditional and fintech products. In 2017, the WBG financial services generated by the crisis, it is important published the latest edition of its Good Practices for that regulatory measures also address potential increases Financial Consumer Protection (WBG FCP Good Practices in risk. For example, prior to new P2PL rules coming into 2017),26 which addresses this broader range of baseline, effect, Korean authorities announced a lowering of the and equally important, risks and mitigants applying across limits they would place on how much individual lenders/ financial product categories in both a traditional and fin- investors could invest, taking into account increased lev- tech context.27 This paper is intended to be a complemen- els of credit risk amid the COVID-19 crisis.23 Recognizing tary publication to the WBG FCP Good Practices 2017 by the increased need for accessible funding, some regula- assisting policy makers in developing and implementing tors have introduced temporary adjustments to existing FCP regulation that addresses new manifestations of risks crowdfunding regulations to facilitate and speed up the affecting consumers in this context. process of raising funds.24 This paper considers fintech-related risks from a retail Authorities responsible for FCP are increasingly faced consumer perspective. In particular, it identifies and dis- with the challenge of developing or adapting FCP reg- cusses risks that have potential adverse impacts for retail ulation as may be necessary to address risks to con- consumers (typically individuals or micro, small, or medium sumers generated by fintech. Regulators are having to enterprises) when acquiring and using fintech offerings, consider whether and what adjustments they may need especially the kinds of risks that authorities increasingly to make to established FCP approaches, or whether new consider warrant regulatory intervention. Some risks, such innovative approaches are required, to mitigate manifes- as in relation to gaps in the coverage of FCP regulation tations of consumer risks resulting from fintech. The task or impacts from the use of algorithms, are discussed sep- of regulators in developing countries is even more difficult arately in the context of their root causes to help readers if they are attempting to tackle this new challenge while understand them, but with the ultimate aim of addressing having to implement baseline FCP regulatory frameworks the potential consumer harm that can result. at the same time. International practice is converging on FCP regula- In a recent survey on alternative finance such as P2PL tory approaches to address some risks, but for other and investment-based crowdfunding, regulators iden- risks, measures can differ significantly or are still in tified their limited internal technical expertise as the the developmental stage. The recent regulator sur- foremost impediment to regulating such activities vey on alternative finance noted above indicated that effectively.25 This paper is intended to contribute to reg- wide variance remains in international adoption of vari- ulators’ efforts to bridge gaps in expertise and knowledge ous regulatory requirements, in part perhaps reflecting about the interaction of FCP issues and fintech. the limited development of relevant markets, as well as regulatory responses.28 This paper highlights where con- This paper aims (1) to identify significant new mani- vergence is occurring. To avoid giving an overly narrow festations of consumer risks posed by four key fintech view, however, and to assist regulators in developing their products (digital microcredit, P2PL, investment-based own approaches in a rapidly developing field, the paper crowdfunding, and e-money) and (2) to provide exam- also covers approaches that as yet may be disparate in ples of regulatory approaches emerging internation- addressing the same risks, or are still in preliminary stages ally that are intended to address such risks. Examples of development. 14   Consumer Risks in Fintech This paper draws from a cross section of jurisdictions, established examples such as e-money offerings to more both geographically and in terms of level of develop- recent developments such as P2PL and crowdfunding. ment. To identify risks and corresponding approaches, the paper draws to a large extent on findings made There are obviously many other emerging products and and initiatives implemented, or being implemented, by service offerings for which further research insights would national and international authorities. While not all regu- be beneficial, such as robo-advice, ‘insurtech’ and ‘bank- latory approaches or frameworks identified internationally ing as a service’ offerings. are necessarily equally effective, and it will be some time before effectiveness of different approaches becomes clear, this is intended to assist policy makers in develop- 2.3  HOW THE PAPER IS STRUCTURED ing countries to draw from practical experiences. Where useful, particularly where there is still a lack of emerging This paper focuses on consumer risks arising in the approaches from authorities, the paper also draws from context of the four selected fintech products—digital other international guidance and research, such as from microcredit, P2PL, investment-based crowdfunding, international organizations and commentators. and e-money. Chapters 4 to 7 set out a discussion of new manifestations of consumer risks and correspond- ing regulatory approaches in relation to each of these KEY FINTECH PRODUCTS 2.2  products. Readers interested in focusing on only some COVERED IN THIS PAPER of these products may consult the relevant product chapter for a stand-alone discussion. This paper covers four key fintech products: digital microcredit, P2PL, investment-based crowdfunding Chapter 3 (section 3.1) provides an overview of con- and e-money (as defined in Table 2 below). These fin- sumer risks identified in the product-specific chapters tech products were selected primarily for two reasons. that are relevant to most of or all four fintech products First, they are examples of fintech offerings that can discussed in the paper. The chapter provides examples, address some of the most basic needs of first-time, and based on the product-specific chapters, of how relevant thus inexperienced, financial consumers (of particular rel- risks arise in connection with the various products. The evance in developing countries)—namely, making pay- section also briefly touches on some key issues related to ments, borrowing, or saving or investing money. Second, data privacy. they represent different stages in the development of fin- tech product offerings and corresponding regulatory and Chapter 3 (section 3.2) also discusses key consider- policy frameworks that surround them, ranging from more ations for regulators contemplating implementation of regulatory measures to address relevant consumer TABLE 2: Fintech Products Discussed in This Paper FINTECH PRODUCT DEFINITION FOR PURPOSES OF THIS PAPER Digital microcredit Credit products that are short term, low value, accessed via mobile devices, and typically involve automated credit scoring and fast approval. Peer-to-peer lending (P2PL) The provision of credit facilitated by online platforms that match borrowers with lenders, encompassing a spectrum ranging from • Platforms that facilitate consumers acting as direct lenders for individual loans; to • Platforms that allow consumers to invest in individual loans, or in pools or portfolios of loans indirectly, being exposed to the credit risk of those loans without being the lender of record. Investment-based crowdfunding The connecting and matching of primarily small enterprises seeking to raise invest- ment finance by issuing securities (debt or equity) to prospective, primarily retail, investors (the crowd) through online platforms. Electronic money (e-money) A store-of-value product with the following characteristics: • It is a digital representation of a fiat currency (legal tender); • It is a claim against the provider; • It can be redeemed at face value on demand; and • It is accepted as a means of payment by persons other than the provider. Introduction  15 risks in their jurisdiction. Although the paper’s focus is on can affect consumers), gender-based and other discrimi- regulation, not supervision, the section highlights the very nation, areas of structural disadvantage affecting consum- important complementarity of supervision. ers, and competition and monetary policy. The paper briefly touches on credit scoring to discuss AREAS OUTSIDE THE SCOPE OF 2.4  key consumer risks in connection with unfair lending in THIS PAPER a digital microcredit and P2PL context. However, it does not set out an analysis of such issues and regimes, which This paper is intended to assist authorities in consider- warrant their own separate detailed consideration.29 ing risks that are more appropriately addressed through FCP regulation and dealt with by market conduct regu- The paper also includes a short, high-level section lators. There are a range of other areas of risk not covered touching on issues related to data privacy but is not in this paper that may affect the public, and thus consum- intended to be an exhaustive canvassing of privacy ers, more broadly and can overlap with FCP—all of which risks. While critical for financial consumers, data pri- governments should consider as part of a comprehensive vacy risks typically involve considerations going beyond strategic approach to fintech in their jurisdictions. These a financial consumer lens and are ideally addressed include money laundering and the financing of terrorism, through regulatory approaches that go beyond sector- prudential concerns and requirements (including capital specific regulation. and liquidity requirements intended to address risks that 16   Consumer Risks in Fintech NOTES 13 See World Bank Group and International Monetary Fund, Bali Fintech Agenda, 12. 14 World Bank Group and International Monetary Fund, Bali Fintech Agenda. 15 IMF, Promise of Fintech. 16 For an overview of risks and benefits in a digital financial services context, see G20/OECD Task Force on Financial Consumer Protection, Financial Consumer Protection Policy Approaches, 12–14. 17 See, for example, Duoguang, “Growing with Pain,” 42; Owens, “Responsible Digital Credit,” 8–9; Huang, “Online P2P Lend- ing,” 77; Hornby and Zhang, “China’s Middle Class.” 18 For example, a 2017 MicroSave study found that 2.7 million Kenyans were blacklisted in credit reference bureaus in the past three years, 400,000 of these for amounts of less than $2. See MicroSave, “Where Credit Is Due.” 19 See, for example, Faridi, “P2P Fintech Lending Sector in Indonesia.” 20 For example, 76 percent, 80 percent, and 89 percent of low-income survey respondents in Ghana, India, and Kenya, respec- tively, indicated they were late in making loan repayments since the pandemic began. See BFA Global, “Dipstick Surveys.” 21 See, for example, Gibbens, “Helping Small Businesses.” 22 See, for example, IMF, “Digital Financial Services and the Pandemic.” See also Jurd De Girancourt, “How the COVID-19 Crisis May Affect Electronic Payments.” 23 Bae, “S. Korea to Place Investment Cap.” 24 See, for example, SEC, “Facilitating Capital Formation and Expanding Investment Opportunities.” 25 World Bank Group and CCAF, Regulating Alternative Finance, 63. 26 World Bank Group, Good Practices. 27 See also OECD, G20 High-Level Principles on Financial Consumer Protection, and the various published Effective Approaches to Support. 28 World Bank Group and CCAF, Regulating Alternative Finance, 47. 29 For a discussion of relevant issues, including implementation and operation of credit reporting and scoring arrangements in developing countries lacking formal data sources, see, for example, World Bank Group and International Committee on Credit Reporting, Credit Scoring Approaches Guidelines, and ICCR, Use of Alternative Data. OVERVIEW AND IMPLEMENTATION CONSIDERATIONS 3 OVERVIEW AND IMPLEMENTATION CONSIDERATIONS This chapter provides an overview of consumer risks • Fraud or other misconduct: Factors such as the nov- relevant to all or most of the four fintech products dis- elty, opaqueness, or complexity of certain fintech cussed in this paper—digital microcredit, P2PL, invest- business models and fintech entities’ responsibilities, ment-based crowdfunding, and e-money—although as well as the lack of consumer familiarity, can lead to the way relevant risks manifest may differ between new or heightened risks of loss from fraud or miscon- those products. The chapter discusses both examples of duct by FSPs or third parties. how such risks arise in the context of the different prod- • Platform/technology unreliability or vulnerability: ucts and examples of regulatory approaches intended to If a fintech platform or other systems underpinning a address them. fintech offering are unreliable or vulnerable to external threats, they may expose consumers to heightened This chapter also discusses some key implementation risks of loss and other harm. considerations for regulators contemplating imple- mentation of regulatory measures to address relevant • Business failure or insolvency: Consumers whose consumer risks (see section 3.2). While the paper’s focus funds are held or administered by a fintech entity may is on regulation, not supervision, the important comple- risk losing those funds if the entity becomes insolvent mentarity of supervision is also highlighted in this chapter. or their business ceases to operate, and factors such as inexperienced entrants and riskier or novel business models can increase such risks. CROSS-CUTTING RISKS AND 3.1  • Consumers not being provided with adequate infor- REGULATORY APPROACHES mation: The standard risks arising from consumers not being provided with adequate product information This section provides an overview of the following can be heightened when new types of pricing, prod- cross-cutting risks, and their corresponding regulatory uct features, and risks are introduced, or where digital approaches, relevant to most or all of the fintech prod- channels for communication pose challenges to con- ucts covered in this paper. The discussion draws exam- sumer comprehension. ples from the product-specific chapters. The different contexts in which these risks may arise are discussed in • Product unsuitability: Fintech can increase access to more detail in chapters 4–7. riskier or complex financial products to consumers that may lack knowledge or experience to assess or use • Gaps in regulatory perimeter: Consumers of fintech them properly, leading to greater risks of harm due to products may receive less protection than consumers product unsuitability. of traditional financial products if there are gaps in the coverage of their country’s existing FCP regulation and • Conflicts of interest and conflicted business models: financial sector oversight. Fintech business models may give rise to conflicts of interest under new circumstances not foreseen by reg- ulators or expected by consumers. 18 Overview and Implementation Considerations   19 • Algorithmic decision-making: The use of algorithms the same as offered in a traditional credit context, with for consumer-related decisions is becoming particu- product differences usually relating only to distribution larly prevalent in highly automated fintech business channel, pricing, and other features. However, the novel models and some scoring decisions may lead to unfair, nature of the lender offering that digital microcredit— discriminatory, or biased outcomes. such as a non-financial entity or an app-based lender— may not fall within the existing authority of any financial • Data privacy: This is a particularly crucial consider- sector regulatory body. Similarly, consumer peer-to-peer ation in relation to fintech offerings, given their highly (P2P) loans are often unsecured, amortizing loans, very data-driven nature. similar to personal installment loans provided by tra- ditional lenders such as banks and finance companies. a)  Gaps in regulatory perimeter The key innovation in P2PL has been giving prospective borrowers access facilitated by technology—specifically Risks to consumers by online platforms—to potential lenders that they did Consumers of fintech products may risk receiving not have before. Although private individuals may be the less protection than consumers of traditional financial lenders of record, they may not be subject to existing products due to gaps in the coverage of their coun- requirements in an institution-based framework and in try’s existing FCP regulation. The practical risk for con- any case are unlikely to be as well placed as the platform sumers from such gaps is that fintech entities may not operator to meet FCP requirements. Another example be obliged to address the range of consumer risks dis- arises from the challenges in regulating e-money prod- cussed later in this paper and that consumers do not have ucts offered by mobile network operators (MNOs). These access to measures such as complaint-handling mecha- entities may be regulated in relation to their core busi- nisms because they do not extend to fintech offerings. ness by a telecommunications regulator. However, in an A country’s existing FCP rules may not extend to fintech institution-based model, their e-money activities are not products and thus may not protect their consumers due necessarily regulated by the financial services regulator to the nature of those products or, even where a fintech (such as the authority responsible for the payments sys- product is equivalent to a traditional offering, due to the tem). A leading example of these challenges existed with nature of the providers or their business arrangements. If the M-Pesa product in Kenya when it was initially offered a country’s regulator lacks power to regulate or supervise by an MNO. fintech entrants in their market, this can hamper efforts to address such gaps. Gaps can still arise in regimes that adopt activity-based approaches if these are not sufficiently flexible to Gaps in regulatory coverage frequently result from a address differences between traditional and fintech fintech product not fitting easily within existing regu- business models. For example, the EU Directive 2008/48 latory concepts. Even if the core nature of the product is on Consumer Credit Agreements, which mandates a familiar, key aspects may differ so significantly from those range of FCP obligations for non-mortgage consumer of traditional products that the fintech product does not lenders, applies to lenders only if undertaking lending in fit clearly within categories contemplated by current FCP the course of a trade, business, or profession. In a P2PL regulation. For example, in the case of P2PL, while plat- business model where the platform operator facilitates form operators may provide services to individual lend- lending by third parties, the operator would not be the ers/investors akin to traditional investment services (such regulated as the lender, given they are not the lender as acting as an intermediary, operating a collective invest- of record, despite controlling important aspects of the ment scheme, or providing financial advice), the novelty lending and being better placed to comply with relevant of P2PL arrangements has at times generated uncertainty requirements. regarding whether and how P2PL is subject to existing investor protection laws.30 A country’s framework may not cover providers that offer services to consumers on a cross-border basis. A Gaps in regulatory coverage of fintech offerings also country’s regulation may extend only to financial products frequently arise from regulation that covers financial offered by providers within the jurisdiction, rather than products or services provided by traditional providers products offered to consumers in the jurisdiction regard- only, such as banks. This is sometimes referred to as insti- less of the location of the provider. While such a gap may tution-based regulation. In contrast, activity-based regu- not affect only fintech offerings, the ease with which fin- lation focuses on the activity being undertaken, rather tech products may be offered through digital channels than the provider undertaking it. For example, in the increases the potential impact of this gap. For example, in case of digital microcredit, the core product—a loan—is a digital microcredit context, consumers may access ser- 20   Consumer Risks in Fintech vices of app-based lenders operating from outside their vary; for example, adopting a hybrid approach may be con- jurisdictions, making it difficult for authorities to monitor sidered more expedient in their domestic legal context, or such activities. Similarly, a foreign-based crowdfunding more effective to address consumer issues. Mexico intro- platform could be soliciting and promoting investments duced a new overarching Financial Technology Institutions to potential retail investors across borders. Law38 (sometimes referred to as its Fintech Law) to cover fintech areas such as investment-based crowdfunding and Regulatory approaches P2PL. The law introduced some FCP requirements and Applying FCP requirements by activity, rather than by allows regulators to issue additional FCP rules. However, type of institution, can help ensure that fintech entities Mexico already had in place a range of FCP requirements are subject to FCP obligations regardless of their insti- applicable to other financial institutions, such as the Law on tutional type or business model. In the case of digital Transparency for Financial Services.39 Fintech entities reg- microcredit, countries that apply credit-related licensing ulated by the Financial Technology Institutions Law have and conduct regulation to all consumer credit-related also been made subject to these existing requirements. In activities, rather than to specific credit institutions, are bet- the case of investment-based crowdfunding, while many ter able to cover all models of digital microcredit, regard- countries’ existing capital markets regulatory frameworks less of whether such activities are undertaken by bank or cover investment activities, adjustments have needed to non-bank lenders, MNOs, some other kind of entity, or a be made to focus specifically on the nature of the partici- combination of actors. Similarly, in the case of e-money, a pants in crowdfunding and their investment offerings. range of jurisdictions apply an activities-based approach to licensing requirements for e-money issuers, allowing A country’s FCP regulator may lack the mandate to only licensed entities to offer such products, whether they extend FCP rules to institutions that it does not already are traditional banks or similar institutions or other kinds regulate. Until such a mandate can be extended, a short- of entities. A few examples include Malawi,31 the Philip- term solution may be to leverage powers of other reg- pines,32 and Mexico.33 ulators, such as those responsible for general consumer protection. In Kenya, the Competition Authority of Kenya A focus on activities, rather than entity types, may also stepped in to issue rules on disclosure for digital finan- assist regulators in identifying and addressing con- cial services (including digital microcredit) for all pro- sumer risks more comprehensively. An activity-based viders, including those not regulated by financial sector approach to regulatory policy may help regulators focus authorities, to address pervasive concerns observed on risks that arise from each activity from a consumer per- throughout the market.40 Similarly, telecommunications spective, regardless of the entity that engages in them. authorities may be in a position to apply FCP require- ments to MNOs entering the fintech space. While none Some countries have addressed coverage gaps by of these approaches are necessarily ideal (and may raise incorporating FCP rules into new frameworks for spe- difficulties in ongoing monitoring and enforcement), they cific fintech products, separate from existing FCP could possibly be leveraged to achieve incremental prog- requirements. There are many examples of regulatory ress in putting in place protections for consumers. Where frameworks developed for e-money that incorporate FCP such approaches are employed, close coordination will be rules. Under Ghana’s Payment Systems and Services Act,34 necessary between sectoral authorities. the only entities that can engage in “electronic money business” are licensed banks and licensed non-banks. For activity-based coverage of FCP rules to be effec- The Malaysian Financial Services Act35 takes an equivalent tive, the regulatory framework needs to incorporate approach. Under that Act, no person can carry on a busi- concepts that are sufficiently broad and flexible to ness of issuing a “designated payment instrument” (which cover new and developing business models and entity includes “electronic money”) unless it is approved by Bank roles. Some jurisdictions have found that broad concepts Negara Malaysia (BNM). The Chinese authorities have in existing legislation, such as relating to lending or invest- issued a separate regulatory framework to cover P2PL ment activities, were effective in automatically extending activities.36 Nigeria, among a range of jurisdictions that regulation to new fintech offerings. Australian consumer have taken a similar approach, is in the process of devel- credit legislation already regulated any “credit activities” oping a crowdfunding-specific regulatory framework.37 involving consumers carried out as part of a business, including not only the provision of credit but also the pro- Many countries have taken a hybrid approach, bringing vision of a range of credit-related assistance to consumers fintech products within some existing FCP regulatory or acting as an intermediary between a lender and a con- frameworks while also developing separate rules to sumer. It therefore was deemed to apply already to new address specific issues or concerns. Reasons for doing so P2PL platforms’ intermediation activities.41 Overview and Implementation Considerations   21 Explicit guidance may sometimes be used by regulators Holders of e-money, for example, face the key risk of to clarify that existing rules already cover fintech activ- agent fraud, among other fraud risks. While not unique ities. In the United States, the Securities and Exchange to e-money, agent-related fraud can be a significant risk, Commission (SEC) chose to send a strong signal to indus- given the potentially extensive reliance on such agents. try that the 1933 Securities Act42 already applied to invest- This can include agents charging unauthorized fees, split- ment-related activities in a P2PL context by entering into a ting transactions or encouraging multiple accounts to earn cease-and-desist order against a major P2PL platform on more commissions, transferring account holders’ funds to the basis it was not complying with the Act.43 their own account, and “skimming” small extra amounts into their own accounts when processing a transaction.47 Some authorities have considered it necessary to intro- Some of these risks can arise when consumers share their duce brand-new concepts into legislation to capture security credentials with an agent and if an agent assists a fintech activities adequately. In the case of P2PL in the consumer with a specific transaction. They are especially United Kingdom, existing rules were amended to provide likely to occur if the consumer has a low level of digital for a new category of regulated firms undertaking the capability and needs assistance to process a transaction. activity of “operating an electronic system in relation to lending.”44 Indonesia introduced a new category of activ- There have also been a number of significant incidents ity referred to as “information technology–based loan ser- of fraud and misconduct involving P2PL and invest- vices.”45 Regulators also started adjusting existing investor ment-based crowdfunding platforms. For example, protection laws to reflect the nature of issuers and investors extensive P2PL platform failures in China resulted in sig- in the context of investment-based crowdfunding.46 Regu- nificant losses for many consumers,48 with severe finan- lators would ideally seek to avoid limiting descriptions of cial and personal impacts.49 Some major failures were regulated activities to particular business models, so as to due to internal fraud, such as a platform ultimately found allow for further market development while avoiding the to be a Ponzi scheme (with most of its loan listings being creation of new gaps. Nevertheless, these are likely to fraudulent), causing almost 900,000 individual lenders/ require continued monitoring and adjustment over time. investors to lose the equivalent of $7.6 billion.50 Inves- tor fraud can similarly be perpetrated through crowd- Addressing gaps in the coverage of cross-border fin- funding platforms by issuers or by platform operators tech activities tends to require a range of measures. themselves. Issuers may try to defraud potential inves- These include applying a country’s FCP requirements (and tors through fraudulent business proposal and plans, by regulators’ mandates) to fintech entities dealing with con- concealing facts about their business history or manage- sumers in that country, regardless of where the providers ment, or simply by using misleading promotion tech- are based. In practical terms, however, measures such niques. Consumers may also be subject to fraud from as cross-border coordination and cooperation between within the platform operator, such as sham or mislead- authorities (as also discussed in section 3.2 below) are ing offers. The extent of these risks can depend on the usually necessary to support the enforcement of relevant types of post-investment services the platform operator requirements. provides, such as whether the platform holds or receives client money, undertakes payment services (for exam- ple, channeling payments from issuers to investors), or b) Fraud or other misconduct if the platform operator represents investors through a Risks to consumers nominee structure or runs a secondary market for issued A fundamental concern for consumers with respect securities. Risks also arise from crowdfunding trading to fintech products, and transacting through digital platforms and bulletin boards used in secondary markets means more generally, is suffering losses from fraud or for the exchange of information about crowdfunding other misconduct by FSPs as well as third-party fraud. securities. Of course, there may also be a risk of entirely The circumstances under which such losses may arise are fraudulent crowdfunding sites. myriad, such as internal theft of funds, identity theft, or Lenders/investors involved in P2PL are also at risk of phishing. Potential perpetrators include FSPs themselves, losing funds provided to fraudulent borrowers, while their employees, agents, merchants, business partners fraudulent apps pose risks to digital microcredit bor- and service providers, and external actors. These perpe- rowers. The fraud may involve a borrower (or a purported trators, and the data or facilities being affected, may be operator) absconding with the relevant funds as soon located remotely (such as in the cloud) and even inter- as they are provided or a borrower providing incorrect nationally, creating additional enforcement and evidence information about their ability to repay a loan (such as gathering difficulties. information about their income). For digital microcredit, 22   Consumer Risks in Fintech consumers face risks due to fraudulent lending apps that (RBI) requires P2PL operators to ensure that they meet fit solicit application fees or personal data but fail to provide and proper criteria at the time of their appointment as any credit. well as on an ongoing basis. In Dubai, senior managers and directors of investment-based crowdfunding platform Cross-cutting regulatory approaches operators must pass fit and proper criteria, including that they must have recognized knowledge and experience Authorization and vetting requirements and be of good professional repute.60 Requiring fintech entities to be licensed or registered and vetted prior to being granted such license or reg- Risk management and governance requirements istration can be an important mechanism to filter out Regulators are increasingly subjecting fintech entities unscrupulous entities that are more likely to commit to general risk management and governance obliga- fraud or engage in other misconduct. Such vetting, as tions that often apply to traditional providers.61 Such well as scrutinizing matters such as any prior criminal his- obligations are generally intended to be flexible and set tory or other history of bad conduct, may examine the expectations on fintech entities that adjust to the char- ability of entities and their management to deal with the acteristics of their business and circumstances. For exam- risk of internal or third-party fraud and misconduct. Ideally, ple, fintech entities in the United Kingdom are subject to such requirements are accompanied by awareness cam- several overarching obligations (known as the “Principles paigns encouraging consumers to deal only with licensed for Business”) that apply to authorized firms. One is that or registered entities. As discussed above in the context they must take reasonable care to organize and control of regulatory perimeter gaps, many jurisdictions require their affairs responsibly and effectively, with adequate risk e-money issuers to be licensed or registered. Some coun- management systems.62 Drawing from this principle, the tries require the licensing or authorization of all providers UK Financial Conduct Authority (FCA) has issued more of consumer credit, such as in Australia51 and Portugal, extensive general obligations and guidance with regard which effectively results in all digital microcredit provid- to risk management.63 Mexico’s Financial Technology ers being required to be licensed or authorized. Licensing Institutions Law similarly makes demonstrating implemen- or registration requirements have rapidly been adopted tation of controls for operational risk a key aspect of being internationally in relation to P2PL. For example, this was authorized as a fintech operator, as well as more specifi- recommended by the European Banking Authority (EBA) cally fraud prevention.64 in the European Union,52 and some European jurisdictions already had such regimes). Recent reforms in China now Technology-related and cyber risk management require- mean that P2PL platform operators are required to go ments are also an essential mitigant to address fraud through multiple stages of authorization, including vet- risk that arises from vulnerabilities affecting a fintech ting requirements.53 As noted above, the United Kingdom platform or other systems. These are discussed below in introduced in its new rules the activity of “operating an the context of platform and technology unreliability and electronic system in relation to lending,” which requires vulnerability risks. authorization. Crowdfunding authorization approaches similarly vary across jurisdictions. Some jurisdictions, such Regulators have also been mandating the reporting of as the European Union54 or United States,55 have created large-scale fraud and security breaches to assist their specific bespoke categories for crowdfunding platform response. For example, the European Union,65 Ethiopia,66 operators, while others, such Australia,56 Dubai,57 and and Kenya67 require reporting to the regulator of such Nigeria,58 apply existing categories of authorized firms as events in relation to payment products. The European the bases for licensing crowdfunding activities. Union’s Directive 2015/2366 on Payment Services (PSD2) also requires that users be informed of any security inci- Vetting requirements to support authorization frame- dent that “may have an impact” on their financial inter- works generally focus on good reputation and ade- ests.68 quate knowledge and experience/qualifications of fintech entities and their management as the main prin- Liability and responsibility for staff and agents ciples to be followed when authorizing their activities. While providers to some extent may be liable for the As the EBA notes in relation to P2PL platforms, this could conduct of persons acting on their behalf under gen- comprise checking that individuals managing a platform eral laws (for example, on employment or agency), reg- meet appropriate standards for competence, capability, ulators frequently consider it necessary to impose clear and integrity.59 This should be the case both when first responsibility and liability for such matters on the prin- applying for authorization and on an ongoing basis while cipal. For example, Ghana’s Payment Systems and Ser- they continue to be authorized. The Reserve Bank of India vices Act makes a principal liable for all acts of an agent Overview and Implementation Considerations   23 “in respect of the agency business” and explicitly states places the burden of proof on the provider if they want that this liability applies even if the acts are not authorized to show a consumer’s liability for all or part of an unau- by the agency agreement.69 thorized transaction.74 Warnings and information for consumers In fintech business models where consumers may suf- Some jurisdictions impose requirements on providers fer loss due to fraud by external participants facili- to warn consumers about risks associated with fintech tated by a platform operator, such as fraud by issuers products. These requirements frequently cover more than on investment-based crowdfunding platforms or bor- fraud-related risks and are discussed in more detail in the rowers on P2PL platforms, an important mitigant is section on information-related risks below. requiring appropriate due diligence by platform oper- ators. The level of thoroughness and efforts required of Segregation of client funds platform operators differ among jurisdictions. They can Requirements that consumers’ funds be segregated range from platform operators simply being expected from other funds held by a fintech entity, and held to satisfy themselves that a fraud is highly unlikely in a with appropriately regulated institutions, can also miti- particular case to expecting operators to examine the gate to some extent against risk of losses due to fraud. appropriateness of issuers’ business plans. In the United Such segregation can make it more difficult for funds to States, a crowdfunding platform operator (funding por- be misappropriated, such as in the context of fraudulent tal) needs to deny access to an issuer if it has a reason- schemes internal to the entity. These regulatory measures able basis for believing that the issuer or the offering are discussed in more detail below in the context of risks presents the potential for fraud or otherwise raises con- of loss that may arise due to entity insolvency or business cerns about investor protection.75 However, there is no failure. obligation for a funding portal to fact-check the business plan of an issuer. In the United Kingdom, the FCA does Product-specific regulatory approaches not prescribe due diligence requirements for platform Regulators have also been implementing regulatory operators but requires that platforms disclose to inves- requirements seeking to address specific circumstances tors the level of due diligence undertaken. Platform under which fraud may arise in relation to particular operators are also under a general duty to exercise skill, products. These are discussed in more detail in the prod- care, and diligence as well as to act in the customers’ uct-specific sections of the paper. best interests.76 In Australia, platform operators have to check the identity and eligibility of the issuer, whether Key examples of such mitigants in an e-money and managers are fit and proper, and the completeness and broader payment-transactions context include legibility of the offer document.77 Dubai and Malaysia requirements for authenticating transactions and lim- have more stringent requirements. In Dubai, an opera- itations on consumer liability for unauthorized trans- tor must conduct extensive due diligence on each issuer actions. These are often balanced by obligations on before allowing it to use its service.78 Malaysia’s require- consumers to report relevant incidents and take certain ments, while less detailed, do require the platform oper- precautions within their control. For example, the Euro- ator to verify the issuer’s business proposition in addition pean Union’s PSD2 mandates “strong customer authen- to conducting background checks to ensure the issuer, tication” (defined in some detail to include the use of its management, and its owners are fit and proper.79 two or more independent elements—that is, two-factor Requirements for assessing prospective borrowers on authentication) as a means to mitigate the risk of fraudu- P2PL platforms discussed in the section below dealing lent transactions. Ghana’s Payment Systems and Services with product suitability would also be relevant in mitigat- Act requires a provider to “ensure” that a transaction ing potential fraud risk by such borrowers. against an account is authorized by the account hold- er.70 The European Union’s PSD2 also places a cap on FCP regulatory measures against fraud should of course consumer liability for unauthorized transactions of €50 be additional to a country’s financial crime measures unless there is fraud or gross negligence by the consum- under anti-money laundering/countering the financing er.71 However, the provider may not be liable if notice of terrorism (AML/CFT) laws and general criminal laws. of an unauthorized transaction is not given in a speci- Ideally, financial sector regulators should closely monitor fied period.72 Users must be advised of their obligation the incidence of such activities in consultation with other to report events such as lost or stolen mobile devices national agencies and implement FCP mitigants particu- or compromised security credentials “without undue larly where risks may be more appropriately dealt with, or delay” and be provided with “appropriate means” to borne by, fintech entities, rather than consumers. make such reports.73 The European Union’s PSD2 also 24   Consumer Risks in Fintech c) Platform/technology unreliability or vulnerability tech entities to address risks related to platform and other technology unreliability and vulnerabilities. Risks to consumers If a fintech platform or other technology systems under- Targeted risk management and operational reliability pinning a fintech offering are unreliable or vulnera- requirements ble to external threats, they may expose consumers Regulators are increasingly making FSPs, including fin- to heightened risks of loss and other harm. When tech entities, subject to specific obligations targeting acquiring traditional financial products or services, con- technology and systems-related risks and reliability sumers already face some level of risk of harm resulting issues. In Indonesia, a P2PL platform operator must meet from interruptions or failures in an FSP’s processes and a range of obligations with regard to its information tech- systems. However, the extent of these risks is likely to be nology and the security of that technology, including resil- particularly high in a fintech context, given the extent of ience to system interference and failures.82 Requirements reliance on technological processes that, in some cases, include rules on the establishment of a disaster recovery may be relatively new. A working group of the Bank for center, acquisition and management of information tech- International Settlements’ (BIS) Committee on the Global nology, and incident management and implementation Financial System relevantly noted, for example, that fin- of security measures. In the case of e-money issuers, the tech credit platforms may be more vulnerable than banks European Union’s PSD2 requires that payment service to certain operational risks, such as cyber risk, due to their providers have appropriate mitigation measures and con- reliance on relatively new digital processes.80 Another trol mechanisms to manage operational (and security) aspect that can give rise to additional risk is significant risks, and that they report to the regulator about these reliance on third-party providers, with potential disruption risks at least annually.83 In Malaysia, e-money issuers must of outsourced services. Lack of reliability issues can obvi- comply with detailed requirements including for com- ously also be affected by broader issues of connectivity prehensive and well-documented operational and tech- and telecommunications infrastructure affecting a coun- nical procedures to ensure operational reliability and a try, although measures to address these going beyond robust business continuity framework, including a reliable FCP are outside of the scope of this paper. back-up system.84 Ghana goes so far as to specify a very specific requirement that an e-money issuer (or a payment Such unreliability or vulnerability can have a range of service provider) ensure “high quality performance of at adverse impacts on consumers, ranging from incon- least 99.5% service availability and accessibility.”85 venience and poor service to monetary losses due to third-party fraud or loss of data integrity. Such impacts Outsourcing-related risk management could mean, for example, that e-money transactions can- Given the extent to which fintech entities may out- not be initiated or completed as expected, that credit source a range of their activities to third parties,86 an repayments due under P2PL or digital microcredit facilities important risk management obligation would be to are not processed in a timely manner, that there are delays take appropriate steps to avoid additional operational in receiving loans, or that crowdfunding investors do not risk resulting from such outsourcing. In the case of P2PL receive the financial returns to which they are entitled. platform operators, for example, the RBI’s rules set out Consumers may lose funds, incur additional charges (such obligations for operators to ensure sound and responsive as late payment fees and penalty interest), or forgo gains risk management practices for effective oversight, due dil- if transactions cannot be completed on time or correctly. igence, and management of risks arising from outsourced Platform or technology vulnerability may also contribute activities.87 Ensuring that fintech entities remain legally to third-party fraud due to vulnerability to cyber risks. In responsible to consumers for outsourced functions can a recent large-scale fraud in Uganda, hackers reportedly also assist—as contemplated, for example, by the Euro- broke into the systems of Pegasus Technologies, which pean Union’s crowdfunding regulation.88 processes mobile money transactions for entities such as MTN Uganda, Airtel Money, and Stanbic Bank.81 Product-specific regulatory approaches Regulators have also been implementing regulatory Cross-cutting regulatory approaches requirements addressing how reliability and vulnera- General risk management requirements bility issues may affect specific fintech products. In the As discussed above in the context of mitigants against case of e-money, regulators are mandating time frames fraud risks, regulators are increasingly subjecting fin- within which transactions must be processed—such as the tech entities to general risk management and gover- European Union’s PSD2 requirement that payments be nance obligations. The expectations imposed by such credited to the payee by the end of the business day after requirements would clearly also target the need for fin- the time of receipt.89 Requirements that users be noti- Overview and Implementation Considerations   25 fied of service interruptions have also been introduced An investment-based crowdfunding platform’s failure in a range of jurisdictions to assist consumers to mitigate can similarly leave investors without services essential the impact. For example, Ghana requires that users of to realizing the full value of their investment. The extent e-money be notified within 24 hours of a service disrup- and nature of such risk depend on factors such as whether tion or an anticipated disruption.90 the platform holds client money, undertakes payment ser- vices (for example, channeling payments from issuers to investors), represents investors through a nominee struc- d)  Business failure or insolvency ture, or runs a secondary market for issued securities. Loss Risks to consumers of access to such services from the operator due to tem- porary or permanent platform failure can cause financial Consumers whose funds are held or administered by a loss as well as operational detriment to investors. fintech entity may risk losing those funds if the entity becomes insolvent or their business ceases to oper- If an e-money provider becomes insolvent then, depend- ate. The fact that many fintech entities are relatively new ing on the way funds are held and controlled, funds entrants in the financial sector increases those risks. The may be insufficient to meet the demands of e-money nature and extent of such risk also depends on the par- holders or other unsecured creditors. This is a partic- ticular fintech business model employed, as well as the ular concern with e-money not considered a “deposit” fintech product and the applicable regulatory framework. protected under banking laws and without the benefit of deposit insurance. Operational failure may also make it A consumer participating in P2PL as a lender/investor difficult for consumers to retrieve their funds. may risk losing their committed loan principal, or repay- ments owed to them, that are being held or admin- Regulatory approaches istered by a platform operator that goes insolvent or fails. Borrowers can also face risks of losing funds under Segregation of client funds such circumstances. For example, when consulting on A key mechanism to address the risk of loss of funds proposed regulatory reforms for P2PL in the United King- due to operator insolvency in the case of P2PL and dom, the FCA said it considered P2PL platform operators crowdfunding platforms, as well mishandling more to present a high risk of consumer harm, given they may broadly, are requirements for client funds to be seg- hold or control client funds before lending these to bor- regated from other funds held by the platform oper- rowers.91 Likewise, a borrower may miss out on receiving ator. As highlighted by the EBA, for P2PL arrangements funds intended for them from lenders/investors as a result the main alternatives entail either the platform operator of the operator’s insolvency. The EBA has pointed out the being appropriately authorized and regulated (such as with risk of a lender/investor’s funds not being transferred to regard to capital requirements) to hold such funds, before the intended borrower if the platform is not required to being permitted to undertake money-handling activities hold appropriate regulatory authorizations and have in on investors’ behalf, or the operator having to ensure that place adequate arrangements to safeguard such funds.92 a separate, appropriately regulated entity handles those Depending on the legal relationships between the par- funds on investors’ behalf.93 Both the RBI94 in India and ties, borrowers may also suffer loss of funds that they are Otoritas Jasa Keuangan (OJK), the Indonesian Financial seeking to repay through the platform but fail to reach Services Authority,95 have mandated that P2PL platform lenders/investors. operators operate escrow accounts for this purpose. In the United Kingdom, key requirements in this regard are that Consumers acting as lenders/investors run the risk of the platform operator would be required to deposit such suffering losses in the event of a P2PL platform opera- funds at an appropriate institution (that is, a bank), keep tor’s business failure (regardless of cause) even if their records and accounts, and conduct appropriate internal assets are ring-fenced from the operator’s insolvency as and external reconciliations so they can always distinguish already discussed above. Business cessation can mean been funds held for different clients.96 Recent reforms in that individual loans that remain viable may not continue China mandate separation of platform owners’ funds from to be administered properly, causing corresponding loss. those of lenders/investors and borrowers. Equivalent mea- An investor can suffer considerable harm if a P2PL plat- sures can be seen internationally in relation to handling of form ceases to provide management and administration investor funds by investment-based crowdfunding plat- services. In practical terms, this can mean an individual forms. In the United States, platform operators are prohib- lender/investor not receiving some or all of the repay- ited from holding, possessing, or handling investor funds ments for the loans that they made or invested in through (or securities). In France, crowdfunding platforms likewise the platform, unless they retrieve payments directly from may neither receive funds directly from investors (except borrowers themselves. for payment of their own fees) nor receive securities from issuing companies.97 26   Consumer Risks in Fintech Requirements for issuers to isolate and ring-fence platform failure, platform operators should be required to funds paid by e-money holders are a well-recognized have resolution plans in place allowing loans to continue core regulatory mitigant for e-money arrangements. to be administered.103 In Dubai, an operator must maintain Regulators typically also apply requirements to safe- a business-cessation plan that sets out appropriate contin- guard such funds in the holding institution. There are gency arrangements to ensure the orderly administration many country examples of such requirements. Malawi’s of investments in the event that it ceases to carry on its Payment Systems (E-Money) Regulations require that an business, and the operator must review its business-cessa- e-money service provider maintain a trust account at a tion plan at least annually to take into account any changes bank that holds an amount no less than 100 percent of to its business model or to the risks to which it is exposed. outstanding balances, and no more than 50 percent may be held in any one bank. The funds in the trust account E-money regulatory frameworks also frequently have must be unencumbered and must not be intermediat- business continuity requirements. For example, PSD2 ed.98 In some cases, trust account (or equivalent) obli- requires an applicant for authorization as a payments institu- gations apply only to non-bank issuers; banks that issue tion to provide a description of business continuity arrange- e-money have lesser obligations (presumably because of ments including clear identification of critical operations, the prudential regulations that already apply to them). contingency plans, and a procedure to test and review the For example, in Tanzania banks that are e-money issu- adequacy and efficacy of those plans regularly.104 ers have to open a “special account” to maintain funds deposited by non-bank customers issued with e-money. Record-keeping requirements In order to protect e-money customers’ funds deposited Record-keeping arrangements are also used as a miti- in banks, some countries require safeguarded funds to gant in this context, although they are obviously crucial be held in more than one bank when they reach a certain more broadly to support the integrity of a fintech enti- threshold. In Kenya, if the relevant amount is over K Sh ty’s business operations. P2PL platform operators in the 100 million, then the funds must be held in a minimum of United Kingdom are subject to general requirements, as two “strong rated banks” with a maximum of 25 percent authorized firms, to keep orderly records of their business, in any one bank. 99 including all the services and transactions undertaken. Other examples in the e-money context are requirements Another approach taken by some jurisdictions is to to maintain records and accounts for e-money activities extend deposit insurance to e-money accounts or that are separate from other business activities. Malaysia corresponding custodial accounts at deposit-taking has such a requirement in addition to a general require- institutions or, if not, to make sure that consumers ment to have adequate information and accounting sys- are aware of the fact that no deposit protection is tems and a proper reconciliation process and accounting being applied to their accounts. In Ghana, an e-money treatment for e-money transactions.105 holder is eligible for protection under the Ghana Deposit Protection Act provided their balance is within the pre- Risk management requirements scribed threshold.100 In the United States, the Federal Risk management and governance obligations of the Deposit Insurance Corporation has rules to the effect kinds already discussed above of course may also that the deposit insurance scheme covering a pooled reduce these risks. This would include both management account held for the purposes of a prepaid card program of risks that may ultimately lead to business failure as well will pass through to the individual card holders under as its impacts on consumers. certain conditions.101 Consumers not provided with adequate e)  Business continuity arrangements information Regulators have been requiring fintech entities to put in place business continuity arrangements in order to Fintech introduces a range of new manifestations of ensure the ongoing administration of consumers’ funds risks for consumers with respect to information dis- and investments in the event of platform failure. These closure and transparency. As is often the case with tra- arrangements typically require plans to be developed that ditional offerings, information about pricing, risks, and will allow orderly continuation of post-investment services terms of fintech products may be incomplete or insuf- in case of a wind-down of a platform. In France, P2PL plat- ficiently clear. These traditional risks to consumers are form operators are required to enter into a contract with heightened when consumers are unfamiliar with new a third-party payment institution to ensure such business types of pricing and fees, product features, terms and continuity.102 The EBA suggests that, to address relevant conditions (T&C), and risks related to fintech products. risks in the case of permanent, rather than temporary, Crucially, the digital format of delivery poses inherent Overview and Implementation Considerations   27 challenges to consumer comprehension that can require combined with overreliance on the platform can specific mitigation measures. harm investors. P2PL platform operators may not have the systems to gather sufficient information about loans The risk of inadequate information being provided being offered necessary to produce appropriate disclo- to consumers sures regarding risks and returns. Crowdfunding issuers Consumers often face incomplete or unclear informa- tend to be smaller businesses about which more limited tion about pricing when obtaining fintech products. information is available. Consumers investing in either A 2015 survey of regulators in 15 developing countries kind of platform may not appreciate the significance of found that limited disclosure of costs was the highest mar- a lack of data in assessing the risk of their investments. ket conduct concern for regulators with respect to digital They may be attracted to platform finance as a new form microcredit.106 Disclosure of pricing for digital microcredit of investment but lack familiarity with the true nature of products is often incomplete and not transparent; differ- risks associated with the new types of investment prod- ent and complex methods are used to convey pricing. As ucts offered via such platforms. Consumers would often a result, it is difficult for consumers to understand the full lack the resources necessary to analyze investments fully costs of a digital microcredit product or to compare across themselves and may also place excessive reliance on a providers. platform operator’s risk assessments or loan or investment selection, which may be of varying quality. Fees and charges are often not communicated clearly. Disclosure of fees and charges for third-party services has Inadequate information can lead consumers to choose also been found to be frequently incomplete with respect inappropriate products that ultimately harm their wel- to digital microcredit. Fees and charges associated with fare. For example, experiencing poor transparency, such services provided by P2PL platforms (for example, loan as unexpected fees or not understanding the terms of a origination, loan servicing) and fees for e-money transac- loan, correlated with higher levels of late repayment and tions (such as cash-in and cash-out) have also been noted default for digital microcredit in Kenya and Tanzania.107 to be frequently opaque. A lack of adequate information about key aspects of P2PL and crowdfunding, such as costs, risks, and rights Beyond pricing, consumers may face inadequate and obligations, can increase the risk that investors will access to the full T&C of a fintech product. Information make decisions that are uninformed or imprudent, which about e-money product features such as available trans- may lead to unexpected losses or consumers overpaying action types and elements, points of service, and trans- for their investments. In the United Kingdom, the FCA action and balance limits are necessary for consumers to expressed concern about customers being misled by be able to select products that best meet their needs. Full comparative cost claims and missing out on services that T&C are often not easily accessible over digital channels, are better suited to their needs.108 particularly with respect to feature phones. Given the lim- ited space available to convey information, providers may If information from different fintech entities cannot be favor displaying appealing information, providing incom- compared easily, consumers may find it difficult to com- plete information about consumer obligations, or merely pare offerings or to realize differences when switching referring to T&C to be found elsewhere. between providers. For example, methods used by P2PL platform operators to calculate risk-adjusted net returns Incomplete information about risks related to fintech may differ considerably between platforms due to a lack products poses a particular concern given the nov- of common standards.109 Platform operators also may not elty of fintech products and the lack of experience of make sufficiently clear the methodology used to make retail consumers. For example, traditional risks related such calculations. to non-repayment of loans can be heightened when the typical users of digital microcredit lack understanding of In addition to the aforementioned risks related to inad- borrower obligations. Similarly, in the case of P2PL, con- equate up-front information, a lack of key information sumers acting as lenders/investors may lack understand- on an ongoing basis also poses risks to consumers. This ing of loan-related risks or perceive them as equivalent includes lack of adequate ongoing information about the to risks of other investment types. E-money users may ongoing status of investments for platform finance inves- lack understanding of the security and technology-related tors, hampering their ability to adjust to changes and com- risks related to e-money. pounding the risks from their lack of understanding and familiarity of such investments. E-money users may not be For platform finance, lack of adequate information provided with sufficiently detailed transaction receipts or about the risks and returns of potential investments periodic account information, making it difficult to track 28   Consumer Risks in Fintech their accounts and identify any fraudulent activity or mis- Requiring summaries and targeted disclosures taken transactions. A summary of key T&C can be an important transpar- ency measure (in addition to ensuring that consumers Regulatory approaches for inadequate information are given access to full T&C). This measure can take Fundamental good practices for disclosure and trans- on added importance in the context of digital channels, parency remain highly relevant to fintech products. where consumers may find it more difficult to review full Providing excessive information can easily overwhelm con- T&C, or the speed of transacting creates less propensity sumers and is not the solution. Effective disclosure requires to do so. For example, when conducting sales of retail a combination of key information provided up front, access banking products and services via digital channels, finan- to fuller details, and information provided in a format and cial institutions in Portugal are required to “prominently manner that enhances comprehension and allows for com- present information on the basic features of the banking parison. International good practice on disclosure gener- product or service and on other elements deemed rele- ally indicates that fintech entities should be required to vant, such as fees and expenses that may be applicable, provide clear and sufficiently comprehensive information on the main screen or webpage of the marketing plat- on pricing and fees, product features, T&C, and risks and form, using larger characters, information boxes, pop- returns. Regulators may sometimes benefit from being ups, simulations, overviews or other similar means.”119 prescriptive regarding what information is deemed the Additional approaches to counteract the difficulties in most critical for up-front disclosure for fintech products in conveying full T&C via mobile channels include making order to ensure consistent and adequate disclosure across the full T&C easily accessible to customers on an ongoing all providers. In the United States, the lender of record for basis120 or requiring public disclosure of standard T&C.121 a P2P loan is subject to the prescriptive provisions of the Truth in Lending Act110 and its implementing Regulation Disclosure requirements that address and highlight key Z,111 (collectively, TILA) which apply to other lenders. Many risks and their consequences, and other key aspects of the e-money regulatory frameworks, such as Kenya’s, for consumers’ decisions, are likely to be particularly also include disclosure and transparency requirements, important for fintech products given their novelty and such as to disclose fees and charges and other T&C to consumers’ lack of familiarity with such products. For consumers on taking up the product and also to require digital microcredit, this includes highlighting the conse- public disclosure of fees and charges.112 quences of late payments and defaults, while e-money risks may relate to mistaken authorizations, fraud, or secu- Adaptations and enhancements are likely to be nec- rity. For platform finance, key matters can include risks essary to address unique aspects of fintech offerings. affected by the role of platform operators and, for con- Standardized total cost indicators already in use in relation sumers investing through those platforms, factors affect- to traditional credit products, such as annual percentage ing their returns. P2PL operators in China are required rate (APR) and total cost of credit (TCC), have been shown to provide a range of information to the general public to help consumers select lower-cost loan products.113 Giv- (including information about the platform operator and ing such indicators prominence when conveyed via digi- their past and current loans) as well as to prospective tal channels could assist consumers in making borrowing lenders/investors (including information about the bor- decisions. Similarly, to ensure adequate access to infor- rower, relevant loan, and the operator’s risk assessment mation, e-money issuers may be required to disclose fees in relation to the loan).122 P2PL operators in Brazil must and charges for e-money via agents, branches, and web- provide prospective lenders/investors with expected rates sites114 and to require disclosure of both up-front fees and of return, taking into account expected payment flows, charges and transaction-based fees.115 taxes, fees, insurance, and other expenses.123 Issuers on crowdfunding platforms are typically required to disclose Mandating content of terms and conditions information about the company; its ownership and capital Authorities may seek to mandate the content of con- structure; financial information; its business plan; the main tractual T&C for fintech products, but it would be risks facing the issuer’s business; and the targeted offering important to ensure that these cover all key aspects amount and intended use of proceeds. for consumers. P2PL platform operators in Brazil must include information on the rights, obligations, and respon- Warnings sibilities between the investor, borrower, and platform in Obliging fintech entities to provide warnings or dis- P2P loan agreements.116 Countries such as Kenya117 and claimers in key contexts can highlight risks for con- the Philippines118 require that e-money issuers provide a sumers and assist in balancing out inappropriately written agreement to each consumer covering the terms optimistic perceptions. P2PL platform operators in the of the service and any related fees. United Kingdom are subject to general rules on disclo- Overview and Implementation Considerations   29 sure of past performance that include providing a prom- The risk of information being provided in a poor inent warning that past performance is not a reliable format indicator of future results.124 Brazilian authorities require Disclosing information in a clear and effective format is that P2PL platform operators display on their website and critical for consumer comprehension. As with any type in other electronic channels, as well as in promotional of financial product, providing all relevant information but materials, a prominent warning that P2P loans constitute in a poorly designed format or manner can easily over- risky investments and are not subject to deposit insur- whelm consumers and make disclosure ineffective. This ance.125 In some jurisdictions, warnings are also coupled risk can be further heightened by lack of familiarity with with acknowledgments from lenders/investors. For exam- the pricing and features of fintech products and services, ple, the RBI requires P2PL platform operators to obtain inconsistent and incomplete methods of disclosing pric- explicit confirmation from a prospective lender/investor ing and other T&C, and the challenges inherent in disclos- that they understand the risks associated with the pro- ing information clearly via digital channels. posed transaction, that there is no guarantee of return, and that there exists a likelihood of loss of the entire Fintech entities may use inconsistent practices to dis- principal in case of default by a borrower.126 However, it close costs. As noted above, costs associated with digital would also be important to ensure that any such warnings microcredit have been found to be disclosed frequently as or acknowledgments are not seen by regulators or fintech either rates or monetary figures and using a variety of repay- entities (or misunderstood by consumers) as reducing the ment periods. The proliferation of different and sometimes onus on fintech entities to comply with their obligations complex pricing methods can be confusing for consumers and address relevant risks where appropriate. and, in some cases, has been actively employed by digital microcredit providers to disguise fees. Ongoing disclosure requirements Requiring the ongoing provision of key information is Several unique challenges to disclosure and transpar- intended to address risks such as that consumers may ency arise due to the nature of digital channels. Particu- lack awareness of the latest activity related to their larly with respect to fintech products delivered via feature fintech product or service, or of key changes made phones, practical limitations on the space to convey to contractual terms after acquisition of the product information as well as the ability use different design for- or service. For P2PL, such requirements include oblig- mats pose a challenge to transparency. Consumers may ing platform operators to provide lenders/investors with take a transaction on a mobile phone less seriously than ongoing information about their individual loans/invest- a transaction in a bank branch, attention spans may be ments, as well as matters relating to the circumstances more limited, and the desire for rapid transactions may be of the platform that may affect those loans.127 Lend- increased. Even where consumers are provided with rele- ers/investors may also benefit from periodic updates vant information, the information may not be provided in regarding the general performance of the operator, as a form that allows them to retain it for future reference (a well as notice of adverse events. Platform operators in particular challenge with respect to interactions via fea- China are required to disclose publicly within 48 hours ture phones). if they have been affected by any of a range of adverse circumstances, such as bankruptcy events, cessation or The timing and flow of information disclosed via digi- suspension of business operations, or significant litiga- tal channels can also impede transparency. Consumers tion, fraud, or other incidents affecting its operations may not be given sufficient time to review information on in a manner that may damage borrowers’ interests.128 a screen before it times out. Websites and app-based con- E-money providers are variously being required to pro- tent may be difficult to navigate and may de-emphasize vide transaction receipts;129 to provide periodic state- less appealing information. User interfaces and menus on ments and recent transaction details or make them easily mobile channels may be confusing and not user-friendly, accessible;130 and to notify consumers of changes to T&C hampering effective disclosure as well as increasing the or fees and charges, a general requirement that should likelihood of consumers making mistakes when conduct- apply for all fintech products.131 In addition, mobile chan- ing transactions. nels do not need to pose only an obstacle to disclosure and transparency; they can also be leveraged for conve- Regulatory approaches for poor disclosure formats nient, immediate, and direct transmission of messages Rules mandating greater standardization of pricing and updates to consumers, such as reminders of upcom- and fees are a developing area. The ITU-T Focus Group ing payments or warnings about late payment penalties on Digital Financial Services recommends that regulators for digital microcredit. should establish standard definitions for the cost and fees of digital microcredit, including all bundled services; 30   Consumer Risks in Fintech require disclosure in line with these standard definitions Requirements regarding how key information should to ensure consistency across offerings; and require clear, be positioned and given prominence, already estab- conspicuous, and understandable disclosure of financial lished for paper documents, are increasingly being and other consequences of early, partial, late, or non-re- extended to digital channels. For example, disclosure payment of a digital loan.132 requirements imposed by authorities in Brazil include an obligation that relevant information be displayed prom- Plain language requirements, frequently applied to inently on relevant electronic channels.138 P2PL require- traditional products, are equally relevant to infor- ments in China include that mandated disclosures be set mation disclosed regarding fintech products. There out in a dedicated, conspicuous section of websites and are various examples of requirements for “clear” and equivalent electronic channels.139 BdP specifically notes “understandable” terms with respect to e-money.133 Dis- that institutions that sell banking products or services closure for fintech products should avoid excess techni- through digital channels “should ensure that the informa- cal jargon. For example, the FCA undertook an initiative tion provided in these channels about those products or to consider the changes required for effective digital services is appropriate in terms of content, form of pre- disclosure that allow for innovation while clarifying com- sentation and prominence, especially taking into account pliance with existing rules. The FCA emphasized the the marketing platform and the devices that bank custom- need for providers to develop consistent terminology ers may use to purchase these products or services.”140 and reduce the complexity of language and technical Notably, this approach is specifically made to apply across jargon.134 Consideration may also be required regarding all various digital marketing platforms and devices. how graphic elements affect readability, particularly with respect to digital channels. In Portugal, best practices A range of approaches can be used to counterbalance from Banco de Portugal (BdP) applicable to the sales some inherent limitations of digital disclosure. Prior of retail banking products and services via digital chan- to concluding transactions, providers could be required nels include that financial institutions “evaluate the use to give consumers access to additional channels, such of graphic elements such as font size, color, icons and as call centers, online chat, and agent/branch locations, images in all information media, including on the screens in order to ask questions, clarify T&C, and obtain fur- of the marketing platform and in advertising, ensuring ther assistance via live interaction with provider staff. that those elements are not likely to affect the readabil- For example, when conducting sales of retail banking ity, understanding, and prominent of information.”135 products and services via digital channels, financial institutions in Portugal are required to assist customers Provision of standardized information summaries/ to obtain further information by making available tools key facts statements (KFSs), typically via paper-based such as a hotline or live chat, chatbot, or other interac- approaches, will require adaptation for digital chan- tive tools.141 In Ghana, e-money issuers are required to nels. Approaches may need to vary depending on the explain the “product material” and “general product level of standardization of the fintech product in question elements” to prospective clients and “ensure that pro- and the main channels via which the product is conveyed. spective client understands the nature and form of the For digital microcredit delivered via mobile phones, a product T&C, features and specifications.”142 summary of key T&C in a streamlined format may strike a sufficient balance between the limitations of devices and The order and flow in which information is required to the need to ensure that key information is highlighted for be provided can also assist to enhance transparency and consumers up front. Consumer testing on disclosure for comprehension. As noted by the FCA, it can be benefi- digital microcredit in Kenya found that simpler versions cial to approach disclosure as a “digital journey” with an of T&C led to better comprehension and more searching engaging digital format for consumers to progress through for products from other providers.136 Adapting disclosure the steps of a transaction.143 The Australian Securities and requirements for mobile channels could involve break- Investments Commission’s (ASIC) guidance on good prac- ing down information into bite-sized chunks ordered in tices for digital disclosure notes that providers should con- a more consistent manner across providers (for example, sider whether disclosure flows logically in a way that aids by fees, conditions and risks). For example, the FCA has understanding of the product.144 There is international asked providers to do more to incentivize consumers recognition of the need for appropriate prominence to to engage with information delivered in a digital envi- be given to each aspect of a product, and that disclosure ronment, including by layering information as a means should not divert consumers away from less appealing to guide consumers through their journey in a way that information. In Kenya, the Competition Authority of Kenya enables them to digest each part easily, rather than (CAK) identified a particular issue with consumers not being including all information up front.137 aware of charges for transactions via mobile wallets because Overview and Implementation Considerations   31 providers were not disclosing the cost of such transactions The risk of unbalanced or misleading marketing until after the consumer accepted the transaction on their and promotional information mobile device. The CAK therefore issued guidelines requir- Marketing and promotional information for fintech ing all providers to disclose fully all applicable charges to products may be unbalanced or, in more extreme cases, customers for the mobile money service offered (including outright misleading. Unbalanced or misleading market- money transfers, microloans, and microinsurance) prior to ing is a longstanding core concern for regulators in any completion of a transaction.145 A survey of digital financial financial product context, but factors such as the novelty services users in Kenya found that the proportion of survey of fintech offerings for consumers, the impetus for provid- participants who could correctly estimate the cost of their ers to grow market share quickly, and their entry in new last M-Shwari loan of K Sh 200 went up from 52 percent and less sophisticated markets, may increase the occur- before the CAK order to 80 percent afterward.146 Also in rence or exacerbate the impact of these practices. A Euro- Kenya, consumer testing on disclosure of information for pean Commission study on the digitalization of marketing digital microcredit found that just moving the option to and distance selling of retail financial services highlighted view T&C from the last option in the main menu for a digital several poor practices, including emphasizing benefits loan product to its own screen increased consumer viewing while giving lower prominence to costs; key information of T&C from 9.5 percent to 23.8 percent.147 that is missing or difficult to find, such as risks or costs; and presenting unrealistic offers (such as loans that are almost Regulatory requirements are also increasingly likely to or completely free of charge) while failing to mention the be informed by behavioral insights, including into how conditions attached to such offers.153 P2PL platform oper- consumers access financial products in a digital envi- ators in China were observed to focus on aspects such ronment. In the aforementioned consumer study on digi- as average returns if they appear attractive, without high- tal microcredit in Kenya, requiring an opt-out approach to lighting associated risks sufficiently.154 Adverse marketing viewing T&C increased the rate of viewing from 10 per- practices observed in crowdfunding include promoting cent to 24 percent, and the resulting delinquency rate was past performance without warning that it is not an indi- 7 percent lower for borrowers who read the T&C.148 cator of likely future performance;155 highlighting benefits without equally highlighting potential risks; selectively Approaches to increase the effectiveness of digital dis- choosing information to create unrealistically an optimistic closure could include requiring elements such as user- impression of the investment; and watering down import- friendly sequencing and specific screens and pauses to ant information by comforting statements based on past assist consumers in absorbing important information. records. The FCA has also expressed concerns about Research by the European Commission indicates that add- misleading advertisements by e-money issuers and other ing intermediate steps that customers must pass through, payment services providers that allege that their services such a “review screen” in the purchasing process, has been are “free”156 even though fees are charged by intermedi- shown to result in consumers making more optimal loan ary service providers, and about non-bank providers that choices.149 In Paraguay, lenders utilizing digital channels advertise themselves as offering “bank” accounts or imply must provide consumers with a final option of rejecting that they are a bank. or accepting the T&C prior to the conclusion of the loan contract and disbursement.150 For sales of retail banking Marketing practices adopting particularly aggressive products and services through digital channels, financial approaches or exploiting behavioral biases can be par- institutions in Portugal are required both to ensure that the ticularly problematic in a digital context. Some digital selling process proceeds to the next stage only after cus- microcredit providers have been identified as aggressively tomers have confirmed that they have read to the end of marketing credit to consumers, such as via push market- mandatory information documents, and to use visual and ing and unsolicited, preapproved offers. Aggressive mar- textual techniques to encourage customers to do so.151 keting techniques include push SMS (that is, unsolicited text messages) with credit offers often sent to customers Requirements could be used to ensure that user inter- of MNOs or e-money services. Such practices exploit faces are clear, user-friendly, and easy to navigate. behavioral biases, such as present bias and loss aversion, ASIC guidance notes that digital disclosure should be eas- and lead consumers to make impulsive decisions to take ily navigable, providing a practical example of a menu fea- out loans without a clear purpose or to take out larger ture in an app that allows consumers to go immediately loans than necessary. Certain digital microcredit providers to sections of the disclosure that are most important to utilize digital channels to target marketing at times when them.152 Rules should seek to ensure the same standards consumers are vulnerable to making poor decisions, such in quality of disclosure across different types of mobile as weekend evenings. phones and platforms. 32   Consumer Risks in Fintech Marketing techniques that exploit behavioral biases requires P2PL platform operators to obtain explicit con- to entice consumers can be particularly impactful. firmation from a prospective lender/investor that they Examples include marketing that encourages consumers understand the risks associated with the proposed trans- to borrow the maximum amount possible, suggests that action, that there is no guarantee of return, and that there loans can be repaid easily, or trivializes the seriousness of exists a likelihood of loss of the entire principal in case of a loan. Providers may market loans by focusing only on default by a borrower.163 As noted previously, it would be the maximum amount that can be borrowed. A study in important to ensure that any such warnings or acknowl- Latvia found that digital lenders encouraged consumers edgments are not seen by regulators or fintech entities to disclose a higher income in order to obtain a larger (or, importantly, misunderstood by consumers) as reduc- loan.157 Aggressive advertising via “cute messaging” was ing the onus on entities to comply with their obligations noted by FinCoNet as undermining the seriousness of and address relevant risks where appropriate. entering into a credit contract and distracting consumers from the high costs of loan.158 In some instances, established rules requiring mar- keting information to be balanced are being aug- The remote nature of digital channels and the rapid mented by fair advertising requirements specific to speed of digital transactions increase the vulnerability fintech-related risks. Regulators often request issuers of consumers to aggressive marketing practices. The and crowdfunding platform operators, as well as promot- lack of human interaction with provider staff, combined ers, to ensure that advertisements are not misleading or with the fact that consumers may be transacting from deceptive by overstating or giving unbalanced emphasis the comfort of their own homes, may result in consum- to potential benefits, creating unrealistic expectations, or ers taking digital loans less seriously. In addition, digital not clearly or prominently disclosing information about microcredit can be advertised as “one-click” or nearly the risks facing the issuer’s business or adverse informa- automatic. These factors may lead consumers to making tion about the issuer. For example, P2PL operators in the hasty and poor decisions. United Kingdom are restricted from making inappropriate comparisons, such as making direct comparisons between Regulatory approaches for unbalanced or mislead- investing money in P2PL and holding money on depos- ing marketing and promotional information it.164 The Financial Markets Authority of New Zealand Policy makers continue to use warnings as a key miti- issued guidance on the application of general fair dealing gant, and some are shifting to more targeted warnings requirements to crowdfunding and P2PL products, focus- delivered at crucial moments in providers’ interactions ing on balancing representations about risk and reward with consumers. Nudges such as warnings to consum- and providing performance information appropriately.165 ers regarding the risks of credit have been found to help improve decision-making.159 Short-term credit providers in Policy makers have sometimes decided that it is nec- Armenia must add legislated warnings to their disclosure essary to explicitly ban certain marketing practices. In material, warning customers about the high cost of the Belgium, advertising that focuses on the ease of obtain- credit and encouraging them to shop around and assess ing credit is prohibited.166 In the United Kingdom, payday their ability to repay. In the United Kingdom, high-cost, lenders are specifically required to refrain from advertis- short-term credit must include a prominent risk warning ing that trivializes the nature of payday loans, including by and redirect consumers to resources from the authority encouraging nonessential or frivolous spending or unac- in charge of debt advice.160 Similarly, obliging P2PL plat- ceptably distorting the serious nature of such loan prod- form operators to provide certain warnings or disclaim- ucts.167 Rules in the European Union generally restrict the ers in key contexts is being used to assist in balancing marketing of services that consumers have not solicited.168 out inappropriately optimistic perceptions by consumers. In Portugal, financial institutions should refrain from using Platform operators in the United Kingdom are subject to pre-ticked boxes or graphic elements to lead customers rules that require providing a prominent warning that past to choose certain options when conducting sales of retail performance is not a reliable indicator of future results,161 banking products via digital channels, and they should while Brazilian authorities require that operators display also refrain from using terms such as “preapproval” or on their website and in other electronic channels, as well “pre-acceptance” during the sales process, as such terms as in promotional materials, a prominent warning that P2P give the impression that credit is easy to obtain.169 loans constitute risky investments and are not subject to deposit insurance.162 Regulators have also been implementing rules to address potentially misleading or incomplete informa- In some jurisdictions, warnings are also coupled with tion shared between parties through platforms. Regu- acknowledgments from lenders/investors. The RBI lators have begun to take steps to regulate crowdfunding Overview and Implementation Considerations   33 platforms that support secondary markets or exchange of ing of potential investees and borrowers that retail inves- information about securities (bulletin boards), such as by tors may not be able to achieve. requiring posters to disclose clearly if they are affiliated in any way with the issuer and by mandating that platform Investor inexperience can also exacerbate other invest- operators take reasonable steps to monitor and prevent ing-related risks, such as excessive overall financial posts on bulletin boards that are potentially misleading exposure (investing/lending too much of one individ- or fraudulent.170 ual’s net worth) or impacts from lack of control over the ultimate investment. Regulators have expressed Cooling-off periods within which investors can with- concern with the risk that P2PL may expose investors to draw from investments without consequences are an excessive losses having regard to their financial and other additional consumer protection measure often applied personal circumstances. The UK regulator noted recently by regulators. In the United States, crowdfunding regu- that, while losses and defaults in their P2PL sector had lations permit investors to withdraw up to 48 hours prior been low, it was important to recognize that the sector to the deadline specified in the issuer’s offering materi- both was relatively new and had not been through a full als.171 In Italy, the applicable cooling-off period starts on economic cycle. When economic conditions tightened, the day when the investor subscribes to the offer and lasts losses on loans could increase.173 Due to the highly dis- seven days after that investment decision. In Australia, a persed nature of crowdfunding investments relative to cooling-off period also starts on the day when the investor the concentrated holdings of business owners and larger makes an application (subscribes to the offer) and lasts investors, the separation between the crowd and control up to five days after making the application. In Dubai, over the management of investees is often high. This can retail investors may withdraw during a 48-hour cooling-off create agency-related risks (and even moral hazard issues) period that starts at the end of the commitment period.172 to the detriment of the crowd, which may lack the skills and experience to protect their investor rights. f)  Product is unsuitable for a consumer An oft-quoted benefit of digital microcredit, expanding The risk of unsuitability due to consumer lack of access to credit to millions of low-income consumers, at sophistication or inexperience the same time can heighten the risk of poor borrowing Fintech can result in consumers having increased behavior and related negative consequences for con- access to novel and complex financial products, such sumers with limited prior experience with credit. Addi- as through P2PL and investment-based crowdfund- tional factors already discussed above, such as aggressive ing platforms, that they may lack the knowledge and marketing, unsolicited offers for digital microcredit, and experience to assess properly. Even if consumers are poor transparency regarding pricing, can further cause provided with all feasible and appropriate information inexperienced consumers to take up credit without consid- about the risks and other key features of a particular fin- ering the consequences effectively. For example, in some tech product, lower financial capability or sophistication countries, a growing number of consumers are developing can nevertheless expose them to losses or other harms. negative credit histories due to digital microcredit.174 This situation can be exacerbated when a fintech offering entails more complex or riskier aspects than traditional Regulatory approaches to risk of unsuitability due financial products that consumers may be familiar with. to consumer lack of sophistication or inexperience It may also be the case that a platform operator does not Limits on consumers’ exposures have sufficient information or understanding about a con- In order to limit potential harm to retail investors from sumer’s lack of skills or sophistication. This may be due to exposure to investments offered through P2PL and a lack of effort or availability of data. investment-based crowdfunding platforms, regulators are setting limits on individual investments. These lend- Investment-based crowdfunding and P2PL platforms ing/investing caps are being implemented on a variety of have enabled more individuals to act as investors and bases, ranging from overall caps to limitations on specific lenders to small enterprises and to other consumers. exposures. In Dubai, for example, an investment-based While a positive outcome for the purposes of increasing crowdfunding operator must ensure that a retail client does access to finance, these products can expose retail inves- not invest more than $50,000 in total in any calendar year tors to risks of loss with which they may not be familiar using its platform.175 In contrast, Australia has set an invest- when contrasted with more traditional investments they ment cap of A$10,000 per annum per company without an have dealt in previously. The assessment of investment aggregate investment cap. In India, the RBI has imposed and lending opportunities in the context of crowdfunding both a cap on the total P2PL loans that a lender/investor and P2PL can require a level of analysis and understand- may make of ₹1 million as well as a cap of ₹50,000 on a 34   Consumer Risks in Fintech lender/investor’s exposure to any individual borrower.176 tors (funding portals)186 must seek a demonstration from The implementation of monetary caps on P2PL appears to investors that they understand the risks of crowdfunded be widespread in the European Union.177 For example, in investing. In some jurisdictions, the focus is on assessing France, caps for individual lenders/investors of €2,000 per the appropriateness of a product for a client, where level loan if interest-paying or €5,000 if interest-free apply, while of understanding may be one of the elements requiring Spain has prescribed limits on a per-loan and total-annual consideration. This approach is discussed below in the basis (of €3,000 and €10,000, respectively) for nonaccred- context of suitability assessments. ited investors. Some limitations are being set by reference to an investor’s specific circumstances. The UK rules on direct The risk of unsuitability due to inadequate assess- financial promotions178 allow P2PL and investment-based ment or product design crowdfunding platforms to communicate financial promo- Fintech credit products offered with limited or no tions directly only to retail investors that confirm that they assessments of a consumer’s circumstances, or without will not invest more than 10 percent of their net investable adequate consideration of the target market for a prod- assets unless receiving regulated financial advice.179 uct, may result in product offers that are unaffordable or not suitable for particular consumers. This risk already Some jurisdictions impose caps on the amount that an exists in the context of more traditional products but can individual borrower may borrow through P2PL plat- be exacerbated by new factors in a fintech context. For forms or limit how much money a company can raise on example, digital microcredit providers may initially utilize a crowdfunding platform. In Australia, eligible companies blind “lend-to-learn” models that fail to consider repay- are able to make offers of ordinary shares to raise up to A$5 ment capacity sufficiently, or P2PL loans may be offered million through crowdfunding in any 12-month period.180 by platform operators whose business model causes them In Malaysia, an issuer may raise, collectively, a maximum to be less concerned with assessing credit quality. As a amount of RM 10 million through equity crowdfunding in its result, borrowers may become over-indebted and con- lifetime.181 P2PL rules in China impose a general obligation sumers acting as lenders/investors may suffer losses. In on platform operators to set limits on individual borrow- the case of P2PL, lenders/investors may be heavily reliant ers’ total loan balances with individual platforms and across on assessments by the platform to ensure that loans fit platforms. Limits of ¥ 1 million and ¥ 5 million have been within parameters they are comfortable with,187 lacking set for total loan balances of a natural person or a legal the ability to assess this for themselves. Investments may person, respectively, across multiple platforms.182 In India similarly be offered through crowdfunding or P2PL plat- the RBI has imposed a cap on the aggregate P2P loans forms that are inappropriate for certain retail investors. taken out by a borrower at any point in time of ₹1 million.183 If an operator lacks the onus to assess a consumer’s risk appetite, experience, and financial circumstances, invest- Warnings and disclosures ments offered through crowdfunding or P2PL platforms Disclosure and transparency measures are obviously may be inappropriate for certain retail investors. important in assisting to mitigate against additional risks faced by inexperienced or unsophisticated con- Regulatory approaches to risk of unsuitability due sumers, although such measures are unlikely to be a to inadequate assessment or product design complete or even the main solution. For example, some regulators require platform operators to warn potential Affordability assessment investors about risks affecting P2PL or investment-based Many countries already have in place general obliga- crowdfunding offerings. These requirements are some- tions to obtain and verify information about a consum- times introduced specifically for fintech offerings and er’s financial circumstances for consumer credit and, in sometimes applied by extending existing requirements. some instances, specifically for short-term, high-cost Platforms in the United Kingdom have a general obli- credit. Different approaches have been taken to impose gation to warn clients about the risks associated with such obligations, from principle-based to more prescrip- investments in financial instruments that now apply to tive.188 In South Africa, providers are prohibited from “reck- platforms.184 In Dubai, information that must be displayed less lending” and from entering into a credit agreement on platform websites includes warnings about the main without first taking reasonable steps to assess a consumer’s risks of using crowdfunding platforms and consequences financial circumstances. A credit agreement is considered of risks, such as if there are defaults.185 reckless if the provider did not conduct such an assess- ment, if the consumer did not understand the risks and Some regulators require platforms to obtain some obligations of the credit agreement, or if entering into the level of confirmation regarding consumer understand- credit agreement would make the consumer over-indebt- ing. In the United States, crowdfunding platform opera- ed.189 Some countries employ more prescriptive measures Overview and Implementation Considerations   35 to gauge affordability. In Japan, moneylenders (including tory approaches on product design and distribution fintech lenders) are prohibited from lending where the can help ensure appropriate design of fintech products total amount of borrowing exceeds one-third of a consum- and reduce risks to consumers before such products er’s annual income.190 Such regulatory approaches also even enter the market. A recent World Bank publication help to address risks related to conflicts of interest raised discusses the increased emphasis by authorities on legal below with respect to digital credit providers. requirements that govern how retail financial products should be designed and distributed so they are appro- For P2PL, it is crucial that obligations apply to the priate for their target market, supported by product entity in the best practical position to undertake such intervention powers granted to regulators.197 Australia, assessments, which is usually the P2PL platform oper- the European Union, Hong Kong, South Africa, and the ator, rather than the individual consumer. For example, United Kingdom, for example, all have such frameworks in the United Kingdom, the FCA introduced rules that or are developing them. require a platform operator to undertake creditworthi- ness assessments equivalent to those that would need The main focus of such regimes is on requiring FSPs to be undertaken by a traditional licensed lender.191 The to put in place product oversight and governance rules set out detailed requirements for the information arrangements designed to ensure that financial prod- that should be obtained and verified about the borrow- ucts meet the needs of consumers in target markets. er’s income, expenditure, and other circumstances by the Common elements of such regimes include the following: platform operator for the purposes of such an assessment, • Governance standards: Requiring FSPs to establish and how the assessment should be made.192 India’s RBI and implement clear, documented product oversight has similarly imposed obligations on platform operators and governance arrangements overseen by senior to undertake credit assessment and risk profiling of bor- management. rowers and to disclose the results of these to prospective lenders/investors.193 • Target market assessments: Requiring FSPs to under- take an assessment of the target market for which the Product suitability product is being developed. There may also be a need Requirements to assess the appropriateness of prod- for product testing before the product is launched. ucts are being applied in a range of fintech contexts. In • Distribution arrangements: Requiring FSPs to ensure the case of investment-based crowdfunding, such require- distribution channels are appropriate for consumers in ments frequently include collecting information from pro- the target market for a product. spective investors to establish their understanding of the • Post-sale product reviews: Periodically following prod- risks involved with an intended transaction and whether uct launch, requiring FSPs to review a product and the selected project is suitable for their profile. New EU related disclosure materials. regulation on crowdfunding requires that platform oper- ators run an entry knowledge test on their prospective Such regimes may include or be complemented by investors and that such prospective investors simulate product intervention powers. These allow regulators to their ability to bear loss.194 In the United Kingdom, when a impose restrictions on the marketing, distribution, or sale retail client is not receiving investment advice, a platform of specified products and can be used where there is evi- must undertake an appropriateness assessment before dence that a financial product has resulted or will likely the client can invest. The operator is required to deter- result in significant detriment to retail clients that cannot mine whether the client has the necessary experience and be remedied in any other way. knowledge in order to understand the risks involved in relation to the opportunity being offered.195 The FCA has Such regimes are starting to be applied to digital included guidance with its new rules suggesting a range credit products. For example, the EBA specifically high- of multiple-choice questions that avoid binary (yes/no) lights that it would be good practice for providers to answers that operators should consider asking prospec- give further attention to “the risks that consumers might tive P2PL investors. Questions address matters such as face due to the increasing use of digital channels by FIs the client’s exposure to the credit risk of the borrower, the [financial institutions] (e.g. exposing consumers to mar- potential loss of capital, and that investing in P2PL is not ket practices that exacerbate behavioral biases) when comparable to depositing money in a savings.196 improving their POG [product oversight and governance] processes.”198 Digital microcredit lenders in Ghana are Product design and distribution required to present and demonstrate their product, the While product suitability requirements focus on inter- identified risks, and risk-mitigation strategies to a panel actions with individual consumers, emerging regula- at the Bank of Ghana for assessment and approval before 36   Consumer Risks in Fintech launching the product.199 Potential measures to address tivize them to behave in ways contrary to the interests risks include requiring providers to place greater focus of prospective investors. The platform operator may not on customer segmentation200 and to target and sell only perform due diligence on prospective offers to a required those digital microcredit products that are suitable and standard, as this may result in having to decline hosting that appropriate for the interests, objectives, and characteris- offer, or the operator may be reluctant to assist investors tics of target segments.201 in exercising cooling-off rights to cancel their investment, affecting the success of an offer. As another example, in some P2PL models where a consumer invests in a portfolio Conflicts of interest and conflicted business g)  of loans rather than individual loans, the platform operator models may have the right to change from time to time the loans Risks to consumers that make up that portfolio. A lack of alignment between Certain characteristics of fintech arrangements can be the operator’s ability to make such changes and the inves- conducive to conflicts between the interests of con- tor’s interests may mean that the operator does not exer- sumers and those of providers that may have signifi- cise such rights in ways that always ensure that an investor’s cant adverse impacts on consumers. Such conflicts often interests are protected. The operator may not properly arise in traditional financial product and service settings, take into account the up-to-date value of the loans being but new or changed fintech business models may give reassigned, to ensure that the investor is not exposed to rise to conflicts under new circumstances not foreseen by greater risk or loss, in order to avoid operational cost or regulators (or expected by consumers), as well as produc- effort or to transfer changed risk to the investor, such as ing new variations of typical conflicts. when facilitating the transfer of pre-funded loans initially arranged by the operator or related party or choosing to Fee-revenue models underpinning some fintech busi- favor some investors over others in such transfers.204 nesses can give rise to perverse incentives for fintech entities to act in ways inconsistent with the interests Business models heavily dependent on generating of their consumers. Some P2PL platforms earn origina- certain fees, often volume-based, may also incentiv- tion fees by facilitating new loans, while consumer inves- ize fintech entities to encourage consumers to engage tors bear the loss if those loans are made imprudently.202 in detrimental behavior. Digital lenders in a range of Some P2PL platform operators also receive additional rev- jurisdictions have been found to encourage consumers enue streams from charging debt collection fees to pursue to continue rolling over the loans or to take up multiple delinquent loans on behalf of such investors. Such arrange- loans. Even if a digital lender may be exposed to the risk ments can give rise to a conflict between investors’ inter- of loan defaults, they may opt to focus on loan quantity ests in ensuring adequate credit assessments of all loans rather than quality to maximize fee-related returns. While and an operator’s potential interest in loosening such stan- such practices have always been present in the financial dards to enable more borrowers to qualify for loans that sector, these practices are highly enabled by the digital generate additional fees and market share.203 The resulting nature of fintech, which allows providers to reach expo- conflict can also have an adverse impact on borrowers if nentially more customers at much lower costs. Providers they are approved for unaffordable loans. This can also be may also be incentivized to offer refinancing to consum- the case in digital microcredit business models where a ers struggling to repay a loan through a new loan that a digital lender’s profitability is heavily dependent on gen- borrower may perceive as staving off default but in fact erating up-front facilitation fees (which may be significant causes them to incur additional fees and ultimately an relative to the size of digital loans) or other fees that are even greater debt. Paying sales-based commissions to not necessarily affected by loan quality, and less on inter- agents of e-money issuers may encourage them to rec- est income from repayments. A lender may accept high ommend one provider over another regardless of whether loss rates as a cost of doing business, focusing on growing the product is suitable for the consumer. loan volumes—facilitated by high-speed, low-contact digi- tal loan distribution—rather than loan quality. Remuneration structures for fintech entities’ staff and agents may encourage them to engage in behavior Such potentially harmful conflicts are frequently the inconsistent with the interests of the consumers they result of a business model in which the fintech entity deal with. Such remuneration is variously referred to as is empowered to make key decisions affecting risk of “conflicted remuneration” or “perverse incentives.” In loss where resulting loss is borne by consumers. For the context of e-money arrangements, for example, sales- example, the financial benefits that an investment-based based commissions may encourage agents not to act in crowdfunding platform operator derives from publicizing the best interests of consumers when recommending an crowdfunding offers and ensuring their success may incen- e-money provider or product. An agent may recommend Overview and Implementation Considerations   37 one provider over another primarily because of the higher In Italy, platform operators are similarly obliged to prevent commissions involved, regardless of whether the product any conflicts of interest that may arise in the management is suitable for the consumer’s financial needs, objectives, of platforms from having a negative effect on the interests or capacity. of investors and ensuring equal treatment of recipients of offers who are in identical conditions. They must prepare, Business models that allow fintech entities or affiliated implement, and maintain an effective policy on conflicts of parties to compete with consumers may give those interest, defining the procedures to be followed and mea- entities unfair advantages, such as insider knowledge, sures to be taken to prevent or manage such conflicts.207 and incentivize conduct that prejudices the interests of consumers. On an investment-based crowdfunding Conflict-management obligations are often part of the platform, for example, the operator or their affiliates may general obligations that apply to entities licensed or invest in offers hosted on the platform, or they may hold otherwise authorized to provide financial products or an interest in entities making offers through the platform services in a jurisdiction. For example, in Australia a P2PL or in investors taking up that offer. The way that the opera- platform operator—as the holder of an Australian credit tor assesses such offers or represents them to prospective licence—would be subject to a general obligation to have third-party investors may all be affected by such underly- in place adequate arrangements to ensure that its borrower ing interests.205 A P2PL platform may similarly allow the consumers are not disadvantaged by any conflict of interest platform operator or their affiliates, as well as the public, that may arise wholly or partly in relation to credit activities to invest in loans offered through the platform. The oper- engaged in by them or their staff or agents. They would ator or affiliate may then enjoy advantages over ordinary also be subject to a similar obligation in relation to their investors. Such advantages may include, for example, bet- consumer investors as the holder of a financial services ter or prior access to loan selection or access to informa- license covering their investment activities.208 In the United tion, not available to other investors, about prospective Kingdom, one of the “Principles for Business” applying to borrowers and how they have been assessed. This may all authorized firms would require fintech entities to man- allow the operator or affiliate, for example, to relegate age conflicts of interest fairly, both between themselves investors to choosing from lesser-quality loans.206 and the consumers they deal with, as well as between con- sumers.209 However, it would also be important to ensure Regulatory approaches that such general conflict mitigation obligations cover fin- tech entities comprehensively, regardless of the basis on General conflict mitigation obligations which any licensing or authorization framework applies. A key mitigant against potential consumer harm from conflicts are obligations on fintech entities to manage Compulsory disclosure of conflicts more generally may and mitigate such conflicts that arise from their activ- go some way toward mitigating their impact on con- ities. This well-established mitigant places an onus on sumers. However, as demonstrated by regulators’ devel- providers to identify and implement practical measures opment of a range of substantive conflict-management to address conflicts. Typical obligations of this kind would obligations on providers, there is increasing recognition require fintech entities to implement adequate policies and that it is difficult for consumers to be able to avoid or procedures and effective organizational and administrative mitigate the impact of conflicts even if they are aware of arrangements designed to prevent conflicts of interest them. Consumers may also paradoxically place more trust from harming the interests of the consumers that they deal in providers after they reveal conflicts, rather than less. with. Such obligations encompass expectations that fintech entities take appropriate steps to identify and manage, or Conflicted remuneration restrictions and transparency prevent, conflicts of interest within their business, such as An important mitigant against conflicts driven by conflicts between the interests of their management, staff, incentives are requirements on fintech entities to have or agents and those of consumers, and even conflicts that in place policies to ensure that their internal remu- their business model and platform arrangements may cre- neration arrangements do not encourage conflicted ate between different clients. For example, crowdfunding behavior. In the context of digital microcredit or P2PL, platform operators in Dubai are required to take reason- such obligations could include ensuring that incentives able steps to ensure that conflicts, and potential conflicts, for staff undertaking or overseeing credit assessments (or between themselves and clients as well as between clients designing those credit assessments, such as where these are identified and prevented or managed in such a way are automated) are not based solely on volume and take that the interests of a client are not harmed, and all clients into account loan quality and overall performance.210 are treated fairly and not prejudiced by any such conflicts. If an operator is unable to prevent or manage a conflict, Disclosure of remuneration, such as sales-based com- they must decline to provide relevant services to a client. missions paid to e-money agents or financial interests 38   Consumer Risks in Fintech that a crowdfunding platform operator has in an issuer Restrictions may need to be placed on particular offering securities on their platform, may sometimes aspects of fintech business models that increase sig- assist to mitigate risk of conflicted remuneration. This is nificantly the likelihood of or the consumer harm from particularly the case where consumers would rely on advice conflicts, such as arrangements that allow fintech enti- or recommendations from provider staff or agents without ties or their affiliates to compete with their consumers realizing these may be influenced by incentives. For exam- unfairly. Many regulators have implemented restrictions ple, in the United States, crowdfunding platform operators on a crowdfunding platform operator, and their affiliated acting as intermediaries must clearly disclose the manner parties, investing in issuers whose offers are hosted on in which they are compensated in connection with offers their platform, as a way to avoid conflicts of interest that and sales of securities undertaken through their platform.211 may arise with other investors using the platform. Pro- posed crowdfunding rules in the European Union would Duties to act in consumers’ best interests prohibit platform operators from having any financial Duties on fintech entities to act in accordance with participation in crowdfunding offers that they host. Affil- the best interests of their consumers can also act as iates of an operator (such as shareholders holding 20 a key mitigant against potential consumer harm from percent or more of share capital or voting rights, manag- conflicts. If a conflict arises between the entity’s interests ers and employees, or any persons directly or indirectly and those of a consumer, such a duty would require them controlling the operator) also would not be permitted to to adjust their conduct to place the consumer’s interests invest in such offers. In Dubai, any officer or employee of a first. In Australia, for example, a P2PL platform operator crowdfunding platform operator (or their family members) would be required to act in the best interests of investors is restricted from investing or issuing via the platform or when their platform arrangements constitute a managed to have financial interest in any issuer or investor. Some investment scheme.212 Sometimes such a duty is framed regulators have placed caps on such investments—in less onerously but still requires that appropriate regard be Malaysia, operators are permitted to have shareholdings paid to consumers’ interests. In the United Kingdom, one in issuers hosted on their platform of up to 30 percent, of the “Principles for Business” to which authorized firms accompanied by public disclosures. The United States, on must adhere is to pay due regard to the interests of their the other hand, allows operators to invest in issuers sell- customers.213 These kinds of duties seem to be imposed ing securities through their platform, but only if the finan- more commonly in relation to some types of financial cial benefit they derive is compensation for their services products or services, such as investment-related services and consists of the same class of securities, on the same or financial advice. For example, under a new EU regula- terms, as those that the public receives. This concession tion on crowdfunding, platform operators are subject to was viewed as helpful in raising the profile of crowdfund- a duty to act honestly, fairly, and professionally in accor- ing campaigns.216 In some jurisdictions, restrictions have dance with the best interests of investors.214 similarly been placed on P2PL platform operators or their associates investing in loans facilitated by their platforms. Obligations targeting specific conflicted circumstances For example, regulations in China limit operators to inter- Regulatory requirements targeting specific circum- mediating loans made directly between lenders/individ- stances may sometimes be necessary, in addition to uals and borrowers and prohibit operators from making general conflict mitigation obligations, to address any loans themselves. Indonesian regulations similarly conflict root causes or harms effectively. Requirements prohibit operators from acting as lenders or borrowers.217 on digital lenders and P2PL platform operators to under- take a proper creditworthiness assessment, as already Regulators may also find it necessary to prohibit certain discussed above, would assist in addressing lax lending specific financial benefits. For example, in order to ensure practices that may arise as a result of business models that that prospective investors on crowdfunding platforms depend on loan volumes, rather than loan quality, to gen- are offered investment opportunities on a neutral basis, erate revenue. A need for targeted obligations was simi- new EU rules prohibit platform operators from paying or larly identified by the UK regulator to mitigate against the accepting any remuneration, discount, or non-monetary risk of conflicts leading to inappropriate loan pricing by benefit for routing investors’ orders to particular offers.218 P2PL platform operators with interests that diverge from those of consumers. Such operators are obliged to have a mechanism in place to ensure that the pricing offered to h)  Risks from algorithmic decision-making investors accurately reflects the credit risk of the borrower. Risks to consumers This was viewed as important both when setting the inter- est rate (for new loans) and when calculating the present The use of algorithms for consumer-related decisions is value of a loan (interest and principal) for existing loans increasing in financial markets overall but is becoming being transferred to an investor.215 particularly prevalent in highly automated fintech busi- Overview and Implementation Considerations   39 ness models. 219 In the case of the fintech product exam- interaction with FCP regulation. However, as noted ples discussed in this paper, this is particularly relevant to above, it is not intended to be an exhaustive canvassing credit scoring decisions for digital microcredit and P2PL. of privacy risks.224 Consumers risks that may arise as a result of algorithmic scoring decisions that lead to unfair, discriminatory, or Consumers may lack awareness or understanding biased outcomes. regarding how and what data about them is collected or used, not assisted by common approaches to noti- Regulatory approaches fications and consent. As already discussed, delivery of This is a cutting-edge area with limited examples of information through digital channels, such as through regulatory approaches that have been implemented feature phones, and the speed with which fintech prod- to date. However, general principles for algorithmic ucts are acquired can make it difficult for consumers to accountability are emerging around the key principles process information adequately, including data priva- of fairness, explainability, auditability, responsibility, and cy-related notifications. Importantly, the complexity of accuracy. Emerging regulatory approaches relevant for data-sharing relationships underlying business arrange- fintech include applying fair treatment and anti-discrim- ments, and the uses to which such data may be put (such ination obligations to algorithmic processes; rules on as algorithmic decision-making), can make it inherently safeguards for the development, testing, and deploy- more difficult for consumers to understand privacy-re- ment of algorithms and for auditability, and transparency lated disclosures and their implications. Further, as high- for consumers.220 For example, the EBA guidelines on lighted in a previous World Bank publication on new loan origination and monitoring require that when using forms of data processing, there are practical limitations automated models for creditworthiness assessment and with consent-based data privacy models that are exacer- credit decision-making, financial institutions should have bated in the digital context and with greater complexity in place internal policies and procedures to detect and of data and uses.225 The previous World Bank paper also prevent bias and ensure the quality of input data.221 Finan- discusses a range of risks that can arise as a result of new cial institutions in Portugal are explicitly required to inform forms of data processing for the provision of financial bank customers of situations where their creditworthiness services that are highly relevant in a fintech context, such assessments rely exclusively on automated decision-mak- as use of data to discriminate inappropriately between ing processes, particularly artificial intelligence models, consumers and impacts on consumers from inaccurate in order to allow customers in such situations to exercise data or data breaches. their rights under European Union data protection rules.222 Importantly, individuals may be affected by fintech-re- lated data privacy issues regardless of whether they i)  Data privacy are ever customers or prospective customers of fintech Data privacy is obviously a crucial consideration in rela- entities. Personal information may be subject to data min- tion to fintech offerings, given their highly data-driven ing, purchasing, or analytics regardless of any existing or nature. Business models for fintech offerings often revolve prospective consumer relationship, such as for product around the innovative use of big data223 and alternative development or marketing research. There is an increas- data, whether to target consumers for product offerings, ingly wide array of data brokers and data analytics compa- assess product applications, or design products. Alterna- nies (often not regulated under financial sector regulation). tive data may include, for example, data on airtime, usage of mobile data, usage of mobile money, calling patterns, Data privacy risks are not confined to the financial sec- social media activity and connections, internet usage and tor, given how data travels through and is exchanged browsing history. Such data may be purchased from third and handled across different sectors. FCP regulation parties or obtained from a consumer’s phone. While such by itself can struggle to address such issues because of innovative data sourcing and analysis arrangements can, sectoral boundaries, hence the whole-of-economy/ juris- for example, expand access to finance for consumers in diction approach to data privacy regulation reflected in relation to whom limited formal data is available, they also regimes such the European Union’s General Data Protec- raise new, complex data privacy concerns, such as regard- tion Regulation (GDPR).226 ing informed consent and legitimate uses. Without seeking to set out a full range of elements to This section briefly touches on data privacy issues mitigate data privacy risks comprehensively, the follow- from a fintech consumer’s perspective as an introduc- ing are examples of data privacy regulatory measures tion to their relevance to financial consumer risks and emerging internationally and relevant to fintech:227 40   Consumer Risks in Fintech • Coverage of alternative data: It is important that • Similar to provider liability requirements for the definitions of personal data (or equivalents) are suf- behavior of agents, providers are being given ficiently broad and flexible to cover alternative data greater responsibility regarding the data practices and, in particular, that they reflect the increasingly of third parties that they contract. In some frame- greater ability to identify individuals from data. Data works, this is more implicit, based on concepts of associated with individuals can include, for example, controls, but it seems likely to be increasingly more information about internet or other electronic net- overt. For example, a draft data privacy bill proposed work activity (such as browsing and search histories, in the United States (the Consumer Online Privacy stored locally or with providers), geolocation data, Rights Act) includes provisions that require providers and inferences drawn from such information to create to exercise reasonable due diligence in selecting a ser- a profile about an individual relating to matters such vice provider and conduct reasonable oversight of its as (as referenced for example in California’s recently service providers to ensure compliance with data-pro- implemented Consumer Privacy Act228) their prefer- tection rules on service providers and third parties.236 ences, characteristics, psychological trends, predispo- The GDPR already focuses on this through, for exam- sitions, behavior, attitudes, intelligence, abilities, and ple, responsibilities placed on data controllers for the aptitudes.229 California’s Consumer Privacy Act defines actions of data processors. “personal information” as “information that identifies, • In jurisdictions such as the European Union, individ- relates to, describes, is reasonably capable of being uals are being given a range of additional data-re- associated with, or could reasonably be linked, directly lated rights allowing them to exercise greater access or indirectly, with a particular consumer or household”, to and control over their data. The GDPR, for exam- and then provides a non-exhaustive list of examples, ple, provides for a right to data portability,237 enabling including the kinds of data described above.230 individuals to obtain and transfer their personal data • While consent will likely continue to be a key ele- between providers for their chosen purposes, and a ment of data privacy frameworks, there is a clear broad “right to be forgotten”—facilitating individuals’ shift away from bundled, overarching consent and ability to have personal data about them erased and to toward models requiring more active, granular, and prevent further processing.238 targeted consent. For example, the European Union’s GDPR notes that separate consent should be obtained for different personal data-processing operations 3.2 IMPLEMENTATION where appropriate.231 CONSIDERATIONS • There is also increasing recognition that con- For any regulator contemplating implementing the sent-based approaches to data privacy are useful but kinds of regulatory measures discussed in this paper, likely insufficient. An emerging approach puts greater it will be important to tailor regulatory approaches to focus on personal data being processed for legitimate country context and to balance the need for consumer purposes. The GDPR requires that personal informa- protection with the resulting impact on industry and tion be collected for explicit, specific, and legitimate market development and innovation. This section sum- purposes and not processed in a way incompatible marizes a range of key implementation matters for regu- with such purposes.232 Some commentators suggest lators to consider.239 that under some circumstances, policy makers could consider being more prescriptive regarding what qual- ifies as, and what are the boundaries of, legitimate use. Importance of country context and striking an a)  For example, access to contacts and personal data to appropriate balance threaten customers (as opposed to using such data for Although this paper identifies a range of potential reg- lending decisions) could be banned.233 ulatory measures to address relevant risks, it is not the • Data minimization and privacy-by-design require- authors’ intent to suggest that all regulatory measures ments are becoming increasingly important. The be implemented in all situations. Rather, the objective GDPR requires that personal data be adequate, rel- was to provide authorities with a range of regulatory mea- evant, and limited to what is necessary in relation to sures from which to select approaches best suited to their the purpose for which data is being processed and particular circumstances. Some of the regulatory measures kept for no longer than necessary for the purposes for discussed in this paper can impose significant compliance which the personal data are processed.234 This is also costs on industry participants; implementing all regulatory reflected in other data privacy frameworks, such as in measures could lead to excessive compliance burdens. Australia and Canada.235 A proportionate, risk-based approach will be needed. It Overview and Implementation Considerations   41 is important for any regulator contemplating implement- practical steps, such as requiring providers to provide ing regulatory measures to strike an appropriate balance information (via a structured questionnaire) on how con- between the need for consumer protection and the result- sumer credit products are being offered through digital ing impact on industry and market development, includ- channels. BdP also held bilateral meetings with individ- ing potentially harming access to finance. For example, ual providers during which providers demonstrated the as high-profile incidents of lender/investor losses and contracting flows via online or mobile channels. These other consumer harms have affected P2PL in a number were then discussed and suggestions provided by BdP of countries, authorities deemed it necessary to increase when process revisions seemed necessary. Based on obligations and restrictions on participants significantly identified best practices as well as behavioral econom- to mitigate the risk of such harms occurring in the future. ics, BdP issued a set of recommendations in July 2020 Reactions to this have been mixed. Media reporting in on how institutions should comply with their duties when the United Kingdom suggests, for example, that platform selling retail banking products and services through dig- operators themselves hope significant reforms by the UK ital channels.242 Countries such as Australia, Ireland, and regulator will help to restore the sector’s damaged rep- the United Kingdom have conducted industry reviews utation by weeding out weaker, less compliant compet- of high-cost, short-term lenders as part of market mon- itors.240 By contrast, some industry participants in China itoring activities, in some cases leading to the introduc- have expressed concern that major reforms implemented tion of new rules. More broadly, the FCA, for example, by the Chinese authorities may stifle the sector and cause undertakes a periodic “Financial Lives” survey to under- remaining players to change their business significantly to stand the financial products that consumers have, their their detriment.241 experiences engaging with FSPs, and their attitudes about dealing with money and the financial sector.243 Assessing the market, consumer experiences, b)  and current regulatory framework In their ongoing development of regulatory policy, regulators where feasible should also leverage infor- Policy makers should first seek to develop a good mation obtained from industry engagement through understanding of their fintech market and the financial arrangements such as regulatory sandboxes. As dis- sector more broadly in their country. Effective stake- cussed in a recent WBG note, for example, the benefits holder consultation, at the consumer as well as indus- of such arrangements for regulators can include providing try level, will be essential. Within each fintech category an evidence base from which to make policy and help to available or entering a country’s financial sector, a range define, create, or amend regulation.244 of models may be being utilized, with different types of providers, operating models, product features, digital In parallel, the existing regulatory framework should channels, and current and prospective customer bases be assessed for gaps, including in relation to base- and target markets. These differences will influence the line FCP issues, and effectiveness. While this paper risks being faced by consumers as well as how they can discusses new or changed manifestations of consumer best be addressed. risks, as already mentioned, equally important baseline consumer risks and corresponding regulatory measures A regulator’s research to inform its regulatory policy apply across financial product types. Regulators should making should include seeking to understand consum- consider whether their existing frameworks address these ers’ issues and experiences. This includes focusing on baseline risks effectively, as well as new manifestations both consumer expectations and experiences in relation of consumer risk resulting from novel aspects of fintech to fintech products and financial products more broadly products. This review should include any existing FCP in the context of their needs and circumstances, as well as rules, as well as other measures that may act as mitigants. in relation to potential measures, including but not limited In addition, given the breadth of consumer risks raised by to regulation, that may be able to address risks and con- fintech products of the kinds discussed in this paper, the cerns that consumers face. assessment should include review of a broader range of rules, including those with respect to data privacy, credit Information for these purposes can be gathered reporting and scoring, general consumer protection, from a variety of sources, including market research; and digital channels, to determine overlaps and poten- consumer focus groups; meetings with providers, tial inconsistencies with proposed mitigants. Regulators consumer and civil society representatives, experts, should also seek to understand the effectiveness and and other industry participants; complaints data; and impact of existing rules to inform decisions on whether supervisory activities. For example, BdP decided to and how to develop new regulation. first better understand the digital credit market in Por- tugal before issuing any new rules. BdP took a range of 42   Consumer Risks in Fintech Determining the right regulatory approach c)  responsibilities (such as telecommunications regulators) is also likely to be important for similar reasons. Some Based on a deeper understanding of the market areas of regulation, such as rules governing the use of and of consumers in their jurisdictions, as well as algorithms, may also require coordination beyond the an assessment of existing regulation, policy makers financial sector. should devise an appropriate policy strategy and prioritize actions. Different approaches being taken Cross-border cooperation between authorities may by authorities in this regard are discussed in this paper. be necessary given the increasing ease with which for- It may be the case that it is more appropriate to add eign fintech entities may engage with consumers in targeted rules to existing FCP laws, or it may be nec- other countries. Such coordination may be needed, for essary to develop stand-alone rules. Policy makers example, to promote consistent policy approaches across may also determine it to be preferable to address top- borders and to develop cooperative arrangements to ulti- ics selectively or in a staged manner. Experience from mately assist with supervision and enforcement. It would other countries to date reveals that policy makers are also assist more broadly with knowledge sharing, includ- frequently addressing at least some fintech-related con- ing relating to regional and international market devel- sumer risks using a piecemeal approach, most likely out opments. Given the increasingly cross-border nature of of necessity. Factors affecting prioritization may include, FSPs internationally (which is an issue that, of course, goes for example, the need to address risks that are having beyond fintech entities), greater harmonization and, to the the most significant immediate impact on individual extent possible, regional coordination of regulatory efforts consumers or consumer populations in a particular mar- could be beneficial. For example, efforts have been under- ket. They may also depend on the stage of develop- taken in the East African community to develop a com- ment of particular fintech offerings in the market and mon framework for SIM card registration for the explicit their accessibility to consumers. Ultimately, the optimal purpose of limiting mobile money fraud.245 Another possi- solution will depend highly on country context. A com- ble approach—where relevant—would be to regulate the bination of approaches will likely be necessary in order domestic agents or intermediaries of foreign fintech com- to address the key risks posed to consumers compre- panies, an approach utilized in the case of remittances.246 hensively, regardless of the approach taken. Regulators should be cautious about imposing unnec- A staged approach can be employed, as it is likely that essarily prescriptive regulation. A regulator may deter- ongoing adjustments will need to be made, given the mine legitimately that certain topics and issues are better rapidly evolving nature of fintech innovation as well as addressed through more detailed rules, having regard to the cutting-edge nature of some approaches discussed relevant consumer impacts and industry practices. How- herein. This is demonstrated by some jurisdictions’ pol- ever, it can be useful to start from the premise of develop- icy-development journeys mentioned in the product- ing regulation that will be based on principles and more specific chapters of this paper. general provisions, including supported by guidance, and to adopt more prescriptive regulation only when neces- Regulators should also consider carefully what coor- sary. Setting principles for industry allows providers with dination and cooperation arrangements are needed more flexibility and ideally places less restriction on inno- with national and international authorities to assist vation, but practices will of course need to be appropri- regulatory development and implementation and ately monitored via supervisory activities. Monitoring and ultimately achieve policy aims. Close coordination testing the effectiveness of approaches (including both between fellow domestic financial sector authorities is positive impacts for consumers and compliance costs for likely to be essential, even more so if multiple authori- providers) and maintaining communication with industry ties are responsible for FCP regulation of the financial will be beneficial over the long run in order to determine sector and fintech entities. This is likely to be needed the right balance. for a range of reasons, including to ensure consistency in approaches, mutual assistance with supervision and Regulators should also consider when complementary, enforcement, and effectiveness of complementary initia- non-regulatory measures may be more appropriate tives (such as initiatives to foster financial sector inno- as an alternative to, or until, development of regula- vation and improve financial inclusion and capability). It tory measures. For example, encouraging development could also assist with increasing knowledge and capacity of industry standards and codes of conduct may assist within each institution as well as with broader govern- in establishing industry familiarity with acceptable prac- ment communication and engagement with industry and tices. It may also assist in addressing consumer risks more consumers. Coordination with authorities having related quickly, particularly where FCP regulatory capacity is lim- Overview and Implementation Considerations   43 ited. Of course, this would also depend on the oversight well as traditional media, activity on digital platforms, and and enforcement mechanisms that support such initiatives. various types of industry-side data.251 There is currently debate regarding the appropriate- Supervisors will need adequate resourcing and capac- ness of establishing differentiated regulation based on ity. For example, some commentators claim that effective the type, size, and complexity of entities’ operations. implementation of new P2PL regulations in China has been However, it has also been noted that, on a behavioral level, hampered by lack of resourcing for supervising authorities, specific products and services may carry similar risks for the leading to practical obstacles such as delay of registration consumer, regardless of the type of institution providing approvals and lack of guidance.252 While this should not them, and thus should be regulated accordingly.247 Regula- be used to avoid the need for adequate resourcing, a tors should pay careful attention to the nature and level of realistic assessment of available resources would be one risks in their market when determining the correspondingly of the factors to be considered when planning eventual appropriate level of legal obligations they may decide to implementation of new regulatory measures. Issues can impose to address them. It is also the case that regulators also arise due to lack of clarity regarding regulator respon- are increasingly building proportionality into FCP require- sibility and authority for new types of innovative providers. ments themselves, rather than seeking to predetermine Such issues may need to be addressed, and heightened such proportionality in advance. For example, regimes coordination may need to be pursued among both finan- imposing obligations on FSPs to implement financial prod- cial and non-financial sector authorities as well as on a uct oversight and governance arrangements increasingly cross-border basis. It will also be important for supervisors provide that these arrangements should be proportionate to build internal capacity and expertise, ensuring that they to the nature, scale, and complexity of the FSP’s business have the increasingly multidisciplinary capabilities needed and relevant consumer risk and product complexity.248 to understand and deal with fintech-related risks. A potential pitfall that countries should seek to avoid e) Complementary non-regulatory measures when adopting separate frameworks for traditional and fintech activities of a similar nature is different sub- A range of complementary measures will be needed stantive treatment under different sets of FCP rules. to accompany regulatory measures. As indicated at This can distort competition and encourage regulatory the outset, this paper focuses in particular on regulatory arbitrage. measures to address risks posed by fintech. Regulatory measures are often necessary but are by no means the only measures that will be required. For example, comple- Effective supervision critical for impact d)  mentary measures will be needed to increase consumers’ Effective supervision of any regulatory measures that digital and financial literacy and to increase awareness are implemented, and monitoring of fintech devel- and understanding among market participants regarding opments and consumer risks more broadly, will be responsible practices. essential for policy aims underlying such measures to be achieved. While a discussion of FCP/market conduct Awareness building and efforts to improve financial supervisory practices and approaches is outside the scope capability for both consumers and industry will also of this paper, but it is also important to acknowledge that be essential to support the positive impact of reg- changes in markets, products, and participants fostered ulatory measures, as well as addressing consumer by fintech developments equally also present a range of risks more broadly. For example, it will be imperative challenges and new issues for supervisors.249 to ensure as much as possible—through measures such as awareness campaigns and financial capability initia- Supervisors will need new strategies and new tech- tives and tools—that consumers understand adequately nological tools in order to monitor financial sectors product benefits and risks and their rights and respon- being expanded and changed by fintech entrants and sibilities. It will similarly be essential to promote fintech offerings, including as-yet-unregulated providers and entities’ awareness and understanding—through mea- changed businesses of some already-regulated enti- sures such as regulator guidance and capacity building ties. New publications by the World Bank and FinCoNet and training efforts—of consumer expectations, risks, explore developments in relation to market conduct and issues, as well as of their responsibilities to consum- supervisory technology (suptech) tools that could assist ers, again not limited to legal responsibilities that may supervisors in such contexts.250 Supervisors will need to be specified in regulation but also having regard to fair analyze information from an expanding range of sources, practices more generally. including consumer-side research, monitoring of social as 44   Consumer Risks in Fintech NOTES 30 For example, as further discussed in Chapter 5, earlier in the development of the United States’ P2PL market, the securities regulator felt compelled to issue a cease-and-desist order against a major P2PL platform in order to signal strongly the applica- bility of existing securities legislation. 31 Payment Systems (E-Money) Regulations 2019 (Malawi), s. 5. 32 BSP E-Money Circular 2009 (Philippines), s. 3. 33 Financial Technology Institutions Law 2018 (Mexico), art. 11. 34 Payment Systems and Services Act 2019 (Ghana). 35 Financial Services Act 2013 (Malaysia). 36 The People’s Bank of China and nine other government bodies jointly introduced a new framework in 2015 by initially issuing “Guiding Opinions on Promoting the Healthy Development of Internet Finance” and supported a range of additional rules such as the Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China). 37 See the SEC’s Proposed Rules on Crowdfunding (USA). 38 Financial Technology Institutions Law 2018 (Mexico). 39 Law on Transparency for Financial Services 2007 (Mexico). 40 Mazer, “Does Transparency Matter.” 41 See National Consumer Credit Protection Act 2009 (Cth) (Australia), ss. 6 and 29 (requirement to be licensed if undertaking credit activities). The Act also applies a broad range of conduct and disclosure obligations when engaging in credit activities involving consumers. 42 1933 Securities Act 15 USC § 77a. 43 Lo, “If It Ain’t Broke,” 88–89. 44 Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (SI 2001/544) (UK), art. 36H, and FCA, FCA’s Regu- latory Approach, para 2.8. 45 Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services (Indonesia), Chapter II, Part 4. 46 See, for example, Australia, Corporations Amendment (Crowd-sourced Funding for Proprietary Companies) Act 2018, https:// www.legislation.gov.au/Details/C2018A00106. 47 Buku and Mazer, “Fraud in Mobile Financial Services.” See also ITU-T Focus Group on Digital Financial Services, Commonly Identified Consumer Protection Themes, s. 3.3. 48 See Huang, “Online P2P Lending,” 77. 49 Hornby and Zhang, “China’s Middle Class.” 50 Owens, “Responsible Digital Credit,” 8–9. 51 The Australian regime includes certain very specific and technical exemptions not relevant for the purposes of this discussion. 52 EBA, “Opinion of the European Banking Authority,” para 70 and 71. 53 Peer-to-Peer Lending Information Intermediaries of Guangdong Province—Detailed Implementation Rules for Recordation and Registration (Exposure Draft issued on February 14, 2017). See also Huang, “Online P2P Lending,” 73–74. 54 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 12. 55 Regulation Crowdfunding (USA), Rule 227.400. 56 Corporations Act 2001 (Cth) (Australia), s. 738C. 57 Regulatory Law 2004 (Dubai), art. 42(1), and DFSA Rulebook (Dubai), GEN 2.2.8. 58 SEC’s Proposed Rules on Crowdfunding (Nigeria), art. 4 (e). 59 EBA, “Opinion of the European Banking Authority,” para 70 and 71. 60 Regulatory Law No. 1 of 2004 (Dubai), art. 42, and DFSA Rulebook (Dubai), GEN 5.3.19, GEN/VER48/04-20. 61 As noted earlier, this paper is not intended to cover prudential concerns and requirements. Of course, it is the case that these overlap with consumer risks and FCP rules. For example, for a discussion of the relevance of capital requirements to opera- tional risks, see World Bank Group, Prudential Regulatory and Supervisory Practices, 17–19. 62 FCA Principles for Businesses—October 2020 (UK), 2.1.1R (Principle 3). 63 FCA Senior Management Arrangements, Systems and Controls Sourcebook—October 2020 (UK), 4.1.1R and 7.1.3R. 64 Financial Technology Institutions Law 2018 (Mexico), art. 37. 65 EU Directive 2015/2366 on Payments Services 2015 (EU) (PSD2), art. 96. 66 Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020 (Ethiopia), art. 13.(2)1. 67 National Payment System Regulations 2014 (Kenya), s. 29(2)(b) and (c). 68 PSD2, art. 96(1). 69 Payment Systems and Services Act 2019 (Ghana), s. 86(1). 70 Payment Systems and Services Act 2019 (Ghana), s. 20(2) 71 PSD2, art. 73 and 74. 72 PSD2 2015, art. 71(1). Here the relevant period is 13 months, but this should not be considered the norm. 73 PSD2, art. 51, 69, and 70. 74 PSD2, art. 72(1). 75 Regulation Crowdfunding (USA), Rule 227.301. 76 FCA Consultation Paper 18/20 (UK), 4.21 and 4.22. Overview and Implementation Considerations   45 77 Corporations Act 2001 Pt 6D.3.A—Crowd Sourced Funding, s. 738Q(5). 78 DFSA Rulebook (Dubai), COB 11.3.6. 79 Guidelines on Recognized Markets SC-GL/6-2015(R3-2019), Rule 13.05. 80 Committee on Global Financial System and Financial Stability Board Working Group, FinTech Credit, 26. 81 See, for example, Kyamutetera, “Hackers Break Into Mobile Money System.” See also Stanbic Bank Uganda, MTN Uganda, and Airtel Uganda, “System Incident Impacting Bank.” 82 Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Ser- vices (Indonesia), art. 25; Financial Services Authority Circular Number 18/SEOJK.02/2017 Regarding Information Technology Risk Management and Management in Information Technology-Based Lending (Indonesia). 83 PSD2, art. 95. 84 BNM Guideline on E-Money 2016 (Malaysia), ss. 8.2–8.5. 85 Payment Systems and Services Act 2019 (Ghana), s. 45(1). 86 See, for example, ASIC, Survey of Marketplace Lending Providers: 2016–2017, para 21. 87 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 17 and annex VI. 88 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 9(3). 89 PSD2, arts. 83–87. 90 Payment Systems and Services Act 2019 (Ghana) s. 45(2). 91 FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.19. 92 EBA, “Opinion of the European Banking Authority,” para D3 and 43. 93 EBA, “Opinion of the European Banking Authority,” para 79–80. 94 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 9(1). 95 Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services (Indonesia), art. 24. 96 FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.34–3.36. Also, see FCA Client Assets Source- book—October 2020 (UK), 7, and FCA Senior Management Arrangements, Systems and Controls Sourcebook—October 2020 (UK) 4.1.8ER. 97 For a discussion of fund-segregation requirements, see also World Bank Group, Prudential Regulatory and Supervisory Practices, 19. 98 Payment Systems (E-Money) Regulations 2019 (Malawi), Part IV. 99 National Payment System Regulations 2014 (Kenya), s. 25(3) and Fourth Schedule. 100 Payment Systems and Services Act 2019 (Ghana), s. 46. 101 See https://www.federalregister.gov/documents/2016/11/22/2016-24503/prepaid-accounts-under-the-electronic-fund-trans- fer-act-regulation-e-and-the-truth-in-lending-act#footnote-150%E2%80%89151-p83947. 102 Havrylchyk, Regulatory Framework, 26. 103 EBA, “Opinion of the European Banking Authority,” para 69. 104 PSD2, art. 5 (1)(h). 105 BNM Guideline on Electronic Money (Malaysia), ss. 7.2 and 8.4. 106 Thirty-one percent of respondents selected limited disclosure of costs as the main market conduct and consumer protection issue, followed by high costs of digital microcredit (14 percent), limited suitability and misleading advertising (14 percent), and data security and privacy (12 percent). See AFI, “Digitally Delivered Credit: Policy Guidance Paper.” 107 Kaffenberger and Totolo, Digital Credit Revolution. 108 FCA’s General Standards and Communication Rules for the Payment Services and E-money Sectors in Policy Statement PS 19/3 2019 (UK), para 3.18 to 3.24. 109 For example, see Lenz, “Peer-to-Peer Lending,” 695. 110 Truth in Lending Act 1968 15 USC § 1601 (USA). 111 Truth in Lending (Regulation Z) 12 CFR Part 1026 (USA). 112 National Payment System Regulations 2014 (Kenya), s. 35(1). 113 Busara Center for Behavioral Economics, Pricing Transparency. 114 Examples of such requirements can be found in Kenya, Malawi, and Malaysia. See National Payment System Regulations 2014 (Kenya), s. 35(1)(a); Payment Systems (E-Money) Regulations 2019 (Malawi), s. 21(3)(e); and BNM Guideline on Electronic Money 2016 (Malaysia), s. 9.3 (i). 115 For example, the EU Payment Services Directive 2015 (PSD2) requires that all charges be disclosed to the consumer before the contract is entered into and before a transaction is initiated. 116 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil). 117 National Payment System Regulations 2014 (Kenya), ss. 41(1)(a) and (2). 118 BSP E-Money Circular 2009 (Philippines), s. 4(G). 119 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 120 ASIC’s guidance on good practices for digital disclosure discusses the importance of clients being able to keep a copy of disclosed information so that they can access the information in the future. This can include the ability to save either a digital copy or a hyperlink to disclosed information on a website that continues to be accessible for a reasonable period of time. See ASIC, Facilitating Digital Financial Services Disclosures. 121 For example, Kenya’s National Payment System Regulations 2014 require publication of terms and fees (rates) and display at “all points of service,” s. 35, and BNM Guideline on Electronic Money 2016 requires that terms and conditions must be available through various channels, including on the issuer’s website, in brochures, and on registration forms, s. 9.3. 46   Consumer Risks in Fintech 122 Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Infor- mation Intermediaries 2016 (China). 123 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil). 124 FCA Conduct of Business Sourcebook—October 2020 (UK), 4.6; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.72. 125 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 17. 126 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 12(2). 127 For example, on a monthly or quarterly basis (depending on loan term), P2PL operators in China must provide to lenders/ investors prescribed ongoing information in relation to their individual loans, including changes to the borrower’s financial circumstances and repayment ability, any overdue repayments, and additional charges imposed on the borrower and other matters may affect their position. See Banking Regulatory Commission Guide to the Disclosure of Information on Business Ac- tivities of Peer-to-Peer Lending Information Intermediaries 2016 (China), art. 9 and Attachment—Explanation on the Content of the Disclosure of Information. In the United Kingdom, operators must ensure that, at any point in time, a lender/investor is able to access a range of details of each of their loans, such as pricing, the borrower’s interest rate, a fair description of the likely actual return, taking into account fees, default rates, and taxation, and so on. See FCA Conduct of Business Source- book—October 2020 (UK), 18.12.31R. 128 Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Infor- mation Intermediaries 2016 (China), art. 10. 129 For example, Kenya has requirements for the payment service provider “without undue delay” to provide the payer with a unique transaction reference and detail of the amount, payee and their account, and the debit. See National Payment System Regulations 2014 (Kenya), s. 35(3). 130 For example, in Ethiopia, at least the last 10 transactions must be available for viewing online. See Licensing and Authoriza- tion of Payment Instrument Issuers Directive No. ONPS/01/2020 (Ethiopia), art. 12(2). 131 For example, the Payment Systems and Services Act 2019 (Ghana) requires seven days’ notice of changes to fees and charges, which must be made through SMS or any other method approved by the Bank of Ghana, s. 45(9). 132 ITU-T Focus Group on Digital Financial Services, Main Recommendations. 133 See National Payment System Regulations 2014 (Kenya), s. 35(1); Payment Systems and Services Act 2019 (Ghana), s. 44(a). 134 https://www.fca.org.uk/publications/discussion-papers/smarter-consumer-communications-further-step-journey. 135 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 136 Busara Center for Behavioral Economics, Pricing Transparency. 137 FCA, Feedback Statement FS16/10. 138 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 17. 139 Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Infor- mation Intermediaries 2016 (China), art. 3. 140 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 141 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 142 Payment Systems and Services Act 2019 (Ghana), s. 45(5). 143 FCA, Feedback Statement FS16/10. 144 ASIC, Facilitating Digital Financial Services Disclosures. 145 Based on World Bank conversation with Competition Authority of Kenya. The guidelines apply to financial services conducted through SIM cards, USSD, and apps. 146 Mazer, “Does Transparency Matter.” 147 Mazer, Vancel, and Keyman, “Finding ‘Win-Win.’” 148 Mazer, Vancel, and Keyman, “Finding ‘Win-Win.’” Subsequent to this study, the digital microcredit provider in the study integrated research insights into its new USSD menus, including (1) separating finance charges from principal, (2) adding a line showing loan fees as a percentage, (3) adding a separate screen with late payment penalties, and (4) creating active choice to view terms and conditions. 149 EC, Behavioral Study on Digitalisation. 150 Circular SB. SG. No. 00065/2015. 151 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 152 ASIC, Facilitating Digital Financial Services Disclosures. 153 EC, Behavioral Study on Digitalisation. 154 Duoguang, “Growing with Pain,” 49. 155 FCA, FCA’s Regulatory Approach to Crowdfunding over Internet, para 3.75. 156 FCA’s General Standards and Communication Rules for the Payment Services and E-money Sectors in Policy Statement PS 19/3 2019 (UK), para 3.18–3.24. 157 The study found that 20 percent of consumers who had taken out credit were actively prompted by the digital application system to indicate a higher income. See FinCoNet, Report on Digitalisation. 158 FinCoNet, Report on Digitalisation. 159 EC, Behavioral Study on Digitalisation. Overview and Implementation Considerations   47 160 All examples from OECD, Short-Term Consumer Credit. 161 FCA Conduct of Business Sourcebook—October 2020 (UK), 4.6; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.72. 162 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 17. 163 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 12(2). 164 FCA Conduct of Business Sourcebook—October 2020 (UK), 4.5.6R; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.74–3.75. 165 Financial Markets Authority of New Zealand, Fair Dealing in Advertising. 166 Consumer Credit Act 1991 (Belgium), art. 6. 167 Committee of Advertising Practice, “Trivialisation in Short-Term High-Cost Credit Advertisements.” 168 Directive 2002/65/EC on distance marketing of consumer financial services. 169 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 170 For example, see SEC Regulation Crowdfunding (USA) and DFSA Rulebook (Dubai). 171 SEC Regulation Crowdfunding (USA), General Rules and Regulations 17 CFR Part 227 (USA), Rule 402(a). 172 DFSA Rulebook (Dubai), COB 11.5.2. 173 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 5.45–5.47. 174 For example, an estimated 500,000 digital borrowers in Kenya have been blacklisted by credit-reference bureaus, https:// www.theeastafrican.co.ke/business/Should-digital-lenders-worry-as-clients-struggle/2560-5179802-fs8a8qz/index.html. 175 DFSA Rulebook (Dubai), COB 11.5.3. 176 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 7. 177 See Lenz, “Peer-to-Peer Lending,” 699. 178 FCA Conduct of Business Sourcebook—July 2019 (UK), 4.7. 179 Platforms in the United Kingdom are required to classify investors to determine whether direct financial promotions for un- listed securities can be communicated to them (for example, links to an investment website or to an investment subscription form). Only retail investors that are certified as sophisticated investors, who certify as high-net-worth investors, who confirm that they will receive regulated advice, or those who confirm that they will not invest more than 10 percent of their net invest- able portfolio in unlisted securities may be the targets of a direct offer. 180 Corporations Act 2001 (Cth) (Australia), ss. 738G(1)(d) and 738G(2). 181 Guidelines on Recognized Markets SC-GL/6-2015(R4-2020) (Malaysia), 13.9. 182 Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China), art. 17. 183 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 7. 184 FCA Conduct of Business Sourcebook—July 2019 (UK), 4.5, 4.5A. 185 DFSA Rulebook (Dubai), COB 11.3.1 to COB 11.3.2. 186 SEC Regulation Crowdfunding introduced a new category of registered intermediary, a funding portal, that may facilitate transactions under the exemption, subject to certain restrictions. The statute and rules provide a safe harbor from broker-deal- er registration under which funding portals can engage in certain activities conditioned on complying with the restrictions im- posed by SEC’s Regulation Crowdfunding. For example, a funding portal may not offer investment advice or make recommen- dations; solicit purchases, sales, or offers to buy securities offered or displayed on its platform; compensate promoters and others for solicitations or based on the sale of securities; or hold, possess, or handle investor funds or securities. See https:// www.sec.gov/regulation-crowdfunding-2019_0.pdf. 187 See, for example, ASIC, Survey of Marketplace Lending Providers (Report 526), para 81–82; see also Committee on Global Financial System and Financial Stability Board Working Group, FinTech Credit, 26. 188 See, for example, FinCoNet, FinCoNet Report on Responsible Lending. 189 National Credit Act 2005 (South Africa), Part D. 190 Money Lending Business Act 1983 (Japan), art. 13-2. 191 FCA Consumer Credit Sourcebook—October 2020 (UK), 5.5A. 192 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP19/14), para 4.1–4.6. 193 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 6(1). 194 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 21. 195 FCA Conduct of Business Sourcebook—October 2020 (UK), 10. 196 FCA Conduct of Business Sourcebook—October 2020 (UK), 10.2.9G. 197 Boeddu and Grady, Product Design and Distribution; FinCoNet and the G20 Task Force are also undertaking detailed re- search on policy and supervisory approaches to financial product governance with a report expected to be published in 2021; see FinCoNet, “FinCoNet Annual General Meeting.” 198 EBA, Second EBA Report. 199 AFI, “Digitally Delivered Credit: Consumer Protection Issues.” 200 McKee et al., “Doing Digital Finance Right.” 201 FinCoNet, Guidance to Supervisors on Digitalization. 202 See, for example, Owens, “Responsible Digital Credit,” 18, and The Economist, “Created to Democratise Credit.” 203 Oxera, Crowdfunding from Investor Perspective, 25; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), 43 and 45. 48   Consumer Risks in Fintech 204 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 4.42–4.46. 205 See, for example, Dentons, “SEC Adopts Final Rules,” 12. 206 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 5.39–5.40. 207 Resolution no. 18592 of 26 June 2013 (Italy), art. 13. 208 National Consumer Credit Protection Act 2009 (Cth) (Australia), s. 47(1)(b), and Corporations Act 2001 (Cth) (Australia), s. 912A(1)(aa). 209 FCA Principles for Businesses—October 2020 (UK), 2.1.1R (Principle 8). 210 For example, see FinCoNet, Guidance to Supervisors on Setting of Standards, and World Bank Group, Good Practices, C8: Compensation of Staff and Agents. 211 SEC Regulation Crowdfunding (USA), Rule 227.302 (d). 212 Corporations Act 2001 (Cth) (Australia), s. 601FC(1)(c). 213 FCA Principles for Businesses—October 2020 (UK), 2.1.1R (Principle 6). 214 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 3(2). 215 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 4.38–4.41. 216 SEC Regulation Crowdfunding (USA), Supplementary Information, 163. 217 Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China), art. 10. 218 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 3(3). 219 This topic is interlinked with the data privacy risks discussed below, as algorithmic scoring in fintech relies on alternative data and big data analytics. 220 See, for example, Hong Kong Market Authority, Consumer Protection; EBA, Final Report on Guidelines, s. 4; GDPR, art. 22. 221 EBA, Final Report on Guidelines. 222 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 223 Big data refers to situations where high volumes of different types of data produced with high velocity from a high number of various types of sources are processed, often in real time, by IT tools such as powerful processors, software, and algorithms. 224 For further discussion of these issues see, for example, OECD, Financial Consumer Protection Policy Approaches, and Grady et al., Financial Consumer Protection. 225 Grady et al., Financial Consumer Protection. 226 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 227 See also, for example, the discussion of data privacy in a DFS context in OECD, Financial Consumer Protection Policy Ap- proaches. 228 Consumer Privacy Act of 2018 (California, USA). 229 Consumer Privacy Act of 2018 (California, USA), s. 1798.140(o)(1)(K). 230 Consumer Privacy Act of 2018 (California, USA), s. 1798.140(o). 231 GDPR, Recital 43. 232 GDPR, art. 5(1). 233 MicroSave, “Making Digital Credit Truly Responsible.” 234 GDPR, art. 5(1). 235 Also see OECD, Financial Consumer Protection Policy Approaches. 236 Bill on Consumer Online Privacy Rights Act, s. 2968, 116th Congress (December 2019) (USA). 237 GDPR, art. 20. 238 GDPR, art. 17. 239 For a detailed discussion and country examples, see also G20/OECD Task Force on Financial Consumer Protection, Financial Consumer Protection Policy Approaches. 240 Megaw, “Peer-to-Peer Groups”; Makortoff, “Peer-to-Peer Lender.” 241 Deng and Yu, “Business Is Withering.” 242 Based on discussion with BdP. See BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. Also see BdP Circular Letter No. CC/2018/00000004 for form of questionnaire. For further details, see G20/OECD Task Force on Financial Consumer Protection, Financial Consumer Protec- tion Approaches. 243 FCA, Financial Lives Survey. 244 World Bank Group, Global Experiences from Regulatory Sandboxes. 245 Buku and Mazer, “Fraud in Mobile Financial Services.” 246 A similar approach is utilized in the case of remittances, where domestic regulation applies to agents that originate or disburse remittances. 247 ASBA and IDB, Consumer Protection, 21. 248 See Boeddu and Grady, Product Design and Distribution, 10 and 23. 249 See, for example, ASBA and IDB, Consumer Protection, 41–52; FinCoNet, Guidance to Supervisors on Digitalisation. 250 World Bank Group, Next Wave; FinCoNet, SupTech Tools. 251 For example, see FinCoNet, Guidance to Supervisors on Digitalisation. 252 Reuters, “Regulatory Problems.” DIGITAL MICROCREDIT 4 DIGITAL MICROCREDIT 4.1 INTRODUCTION products, and a variety of pricing models may be used. Digital microcredit providers may charge fixed interest a)  Scope of chapter rates per day, week, or month. Interest rates vary widely. This chapter focuses on innovative microcredit products When translated into APR, studies have shown rates for that are seeing significant consumer take-up, particu- digital microcredit ranging from 24 to 174 percent254 and larly in emerging market and developing economies. from 12 to 621 percent in Kenya specifically.255 Alterna- These products are typically accessed via mobile devices tively, flat fees or fees based on a percentage of loan and often involve automated credit scoring and fast principal may be charged instead of (or in addition to) approval. For purposes of this paper, such products are interest rates. Digital microcredit offers may be bundled referred to herein as “digital microcredit.” Digital micro- with additional products, such as bill-payment services, credit products introduce new manifestations of risks to money-transfer services, and insurance. consumers due to the unique characteristics of such prod- ucts. Note that in order to provide focused discussion of a Digital microcredit products are accessed via remote defined set of products, this chapter does not specifically digital channels with little to no human interaction. The cover lending via mobile banking (that is, traditional loan majority of digital microcredit models initially relied on products accessed through a bank’s mobile banking plat- feature phones, using SMS, SIM card toolkits, or Unstruc- form) or online or digital lending more broadly, including tured Supplementary Service Data (USSD). Increasingly, the increasing range of credit services being made avail- digital microcredit products are also available via smart- able to consumers via non-financial institutions such as phones and app-based lenders. For example, in Sub-Sa- e-commerce platforms. However, many of the risks dis- haran Africa, digital microcredit offered via feature phones cussed below (as well as regulatory approaches) may also remains predominant in Kenya and Tanzania, whereas in apply to broader online and digital lending. Nigeria the number of feature phone-based products equals that of app-based digital microcredit products.256 Funds are disbursed directly into mobile money accounts b) Key characteristics of digital microcredit or bank accounts. Digital microcredit products, particularly in developing countries, are often short term and low value and may Digital microcredit products are rapidly approved and have high fees. Loan terms can range from one week to typically employ automated credit scoring that lever- a few months. Loan sizes range from a few to a few hun- ages alternative data. The application and approval dred US dollars. For example, a 2017 study in Tanzania process for digital microcredit is often instantaneous or found the mean loan size for digital microcredit to be TSh near instantaneous or takes only a matter of hours. Digital 33,757 (approximately $15).253 Digital microcredit prod- microcredit models frequently rely on innovative, alterna- ucts tend to be more expensive than traditional credit tive data sources such as mobile phone activity, mobile 50 Digital Microcredit    51 money transactions, or social media data. Such data is c)  Benefits and risks of digital microcredit analyzed via algorithmic processing to generate rapid, Digital microcredit has expanded access to credit to automated credit decisions. Digital microcredit providers millions of low-income consumers, many with no formal may outsource certain activities to third parties, including credit histories. Digital microcredit can also be quick and algorithm development, data analytics, and credit scor- convenient to obtain, with little formal documentation ing, as well as marketing and loan recovery. required and no need to visit physical outlets. Business models for digital microcredit often involve However, digital microcredit also poses new manifes- non-bank lenders and outsourcing to third parties. tations of risk to consumers arising from the digital Digital microcredit providers include banks, MNOs, and delivery channel and the nature of the product and other non-bank lenders. Though digital microcredit busi- underlying business models. Consumer risks can arise ness models are constantly evolving, many can be cate- due to digital delivery channels, such as with respect to gorized under one of the following four models:257 poor disclosure via feature phones. Consumer vulnera- 1. Bank + MNO partnership: Licensed bank partners with bility to aggressive sales and marketing practices can be MNO with mobile money service. Bank conducts credit heightened by digital microcredit providers who exploit scoring and lending; MNO provides access to custom- behavioral biases. The increasing prevalence of short- ers, transactional data, and channel for disbursements term, high-cost consumer credit has already raised alarm and repayments (for example, M-Shwari in Kenya and in many countries. The risks related to such loans can be M-Pawa in Tanzania). compounded where digital loans are marketed to con- sumers with little regard for the capacity to repay. Con- 2. Non-bank lender + MNO partnership: Regulated or sumers may face aggressive debt collection practices and semi-regulated non-bank financial institution partners inappropriate use of personal data. Digital microcredit with MNO (for example, Timiza and Nivushe in Tanza- also poses new risks that arise from the use of alternative nia). data and algorithmic scoring models. 3. E-money issuer + regulated financial institution: Li- censed e-money issuer partners with bank or semi- Such risks have already translated into real harms to regulated non-bank financial institution (for example, consumers. As noted above, the levels of non-perform- Billetera Personal by Personal S.A. in Paraguay). ing loans and defaults are quite high in certain digital microcredit markets. Consumers are developing negative 4. Non-bank mobile internet application: Non-bank credit histories and may become increasingly indebted lender, often unregulated, may be based outside the and caught in debt traps. Instances have been observed country; accessed via smartphones and utilize smart- of digital microcredit borrowers reducing food purchases phone data (for example, Branch in Kenya and Tanza- in order to repay a digital microloan.262 On the flip side, nia and Tala in Kenya, Philippines, Mexico, and India). use of algorithms may lead to discrimination and unfairly exclude potential borrowers. Digital microcredit customers often use digital micro- credit for day-to-day needs and household expens- es.258 Some digital microcredit providers target specific Emerging examples of regulatory approaches to d)  customer segments, such as low-income borrowers, address risks urban borrowers, small-business owners, or students. The following sections explore new manifestations of Many consumers have an ongoing need for such loans, risks to consumers that arise from digital microcredit as evidenced by the high number of consumers who have and emerging policy approaches to address such risks. active digital loans, borrow on a recurring basis, and have Discussion of risks to consumers and accompanying reg- multiple digital loans.259 In addition, 56 percent of bor- ulatory approaches to address such risks are organized by rowers in Tanzania and 47 percent in Kenya indicate they the following categories: have been late on repayments for digital microcredit. 260 Data from digital microcredit borrowers in Kenya between • Disclosure and transparency (for example, incomplete 2016 and 2018 showed that more than a quarter of active or non-transparent information on pricing, inadequate digital loans were non-performing loans, and half of non- access to incomplete T&C, poor format of disclosure performing digital loans had outstanding balances of less and user interface, poor timing and flow of disclosed than $10.261 information). 52   Consumer Risks in Fintech • Marketing practices via remote channels (for example, CONSUMERS NOT PROVIDED WITH 4.2  “push” marketing and unsolicited offers, exploitation ADEQUATE INFORMATION of behavioral biases, misleading ads targeting vulner- able consumers, remote nature and speed of digital Poor disclosure practices are a common cause for con- channels). cern with respect to digital microcredit, due to poor • Unfair lending (for example, high prices, business practices by providers and exacerbated by digital models based on high loss rates, mass marketing to disclosure factors and constraints. Risks to consumers consumers without assessing ability to repay, rolling can arise from a lack of key information being disclosed, over loans and multiple borrowing, abusive debt col- information being disclosed in an unclear manner, and lection practices) information being disclosed too late to be of use to con- sumers. For example, in a study on digital microcredit in • Algorithmic scoring (for example, bias and discrimina- Kenya and Tanzania, 19 percent of borrowers in Kenya tion based on proxies reflecting sensitive attributes). and 27 percent of borrowers in Tanzania reported expe- • Gaps in the regulatory perimeter (for example, digi- riencing poor transparency, such as unexpected fees or tal microcredit providers not being subject to require- not understanding the terms of a loan. Experiencing poor ments equivalent to those for traditional lenders or not transparency correlated with higher levels of late repay- falling under any regulatory authority). ment and default (37 percent and 39 percent, respec- tively) compared to digital borrowers that did not report Due to the cutting-edge nature of many risks, real-life experiencing poor transparency.263 Conveying informa- examples of regulatory approaches specific to digi- tion clearly and comprehensively via the small screens of tal microcredit are still limited. Therefore, this chapter mobile phones also poses an inherent challenge. draws from multiple sources depending on the nature of the consumer risk. For example, to address risks related to Fundamental good practices for disclosure and trans- the challenges of effective disclosure via digital channels, parency remain relevant to digital microcredit, but with examples are drawn from a range of emerging approaches necessary adaptations to address the unique aspects related to digital disclosure more broadly. Similarly, of digital microcredit and digital channels. As a starting addressing risks related to aggressive marketing and unfair point, existing disclosure and transparency rules could be lending practices draws from approaches used to address made to apply to digital microcredit, such as use of plain such issues for short-term, high-cost consumer credit language. The principle of having clear and consistent (whether digital or not) that have been employed in devel- pricing information, such as APR and TCC, will require oped countries. In all cases, concrete examples of regula- adaptation for digital microcredit. Requirements geared tory approaches employed by policy makers are provided toward paper-based approaches, such as KFSs, will also where available. However, where real-world examples of require adaptation for digital channels. Practical means for regulatory approaches are lacking, suggested approaches highlighting the most important T&C of a digital microcre- are instead drawn from relevant research and international dit product will be even more critical than when highlight- guidance, or from innovative approaches introduced by ing T&C of standard credit products, given the limited industry that could be further encouraged by policy mak- space to convey information. ers. For example, emerging proposals on how to address risks arising from the use of algorithms draw from a range Digital channels do not only have to pose a challenge of research on algorithms, artificial intelligence (AI), and to transparency, though; digital models can also be machine learning, often in settings beyond credit scoring actively and strategically leveraged to enhance trans- or beyond the financial sector. parency. For example, mobile channels provide an opportunity to have interaction with a consumer that is more dynamic than that provided by a static document. Summary of risks and regulatory approaches e)  Digital channels also allow for more personalization. Dig- discussed in this chapter ital models provide an opportunity to incorporate behav- Table 3 summarizes the new manifestations of con- ioral insights into the design and the process of disclosing sumer risks and corresponding regulatory approaches information, which could be leveraged to address com- discussed in this chapter. mon shortfalls in disclosure. Countries that have begun to tackle these issues increasingly seek to integrate behavioral insights and rely on practical guidance. Leveraging the wide range of existing research on how to make disclosure more effec- Digital Microcredit   53 TABLE 3: Consumer Risks and Regulatory Approaches: Digital Microcredit RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE Disclosure and transparency • Require prominent disclosure of both total cost metrics and clear 54 breakdown of costs Content of disclosure • Require disclosure of key T&C in channel being used for transaction • Information on pricing is incomplete and non- transparent (for example, range of different • Indicate specific T&C that must be disclosed in transaction channel methods used to convey pricing, finance charges • Require access to full T&C, including after transaction completed not disclosed separately from principal or) • Inadequate access to complete information on T&C—for example, links to full T&C provided at separate location) Format of disclosure • Encourage greater standardization in presentation of fees/pricing 55 • Lack of standardized format for costs • Require plain language without technical jargon or graphical elements • Information conveyed via mobile phones in affecting readability a format or manner that does not facilitate • Require standardized presentation of information adapted for digital comprehension channels (for example, bite-sized chunks of info provided in consistent • Consumers may not be able to retain information manner) • Provide secondary layers of information for further details • Provide offline channels to obtain further info and assistance as well as the ability to access info for future reference Timing and flow of information • Require order and flow of info to enhance transparency and 57 • Key information such as pricing provided after comprehension, providing an intuitive “digital journey” through a completion of a transaction transaction process • Less appealing information may be de-emphasized • Require disclosure of pricing and key T&C earlier in transaction process • Leverage behavioral insights to encourage consumers to engage with info (for example, require confirmation to move to next stage of transaction) User interfaces • Require user interface be user-friendly and easy to navigate, including 58 • User interface may not be user-friendly, with on low-end mobile devices complex menus that are difficult to navigate • Encourage consumer testing of user interfaces • Require providers to provide guidance to consumers on user interfaces Marketing practices via remote channels • Require explicit warnings on risks of short-term, high-cost credit and 59 • Push marketing and unsolicited offers encourage information on alternatives to such loans and helpful resources impulse borrowing • Ban sales practices that focus on ease of obtaining credit, trivialize • Exploitation of behavioral biases (for example, credit, or target vulnerable consumers encouraging borrowing of maximum amount • Slow down process of transacting digitally to allow consumers more possible, trivializing loans) time for reflection and deliberation (for example, intermediate steps/ • Misleading ads targeting vulnerable consumers screens, adding a review screen) or appropriate cooling-off period (for example, emphasizing benefits, hiding risks, • Require loan options be presented in manner that is beneficial (or at unrealistic offers with hidden conditions, marketing least neutral) to consumers and not exploitative (for example, banning on weekend evenings) default selection of maximum loan size, pre-ticked boxes that lead • Remote nature of digital channels and rapid speed customers to suboptimal options) of transactions increase consumer vulnerability Unfair lending • Require providers to assess the ability of prospective customers to 61 • High prices for digital microcredit repay loans and grant loans only where they are affordable to potential borrower • Mass marketing to consumers with little assessment of individual consumer circumstances or ability to • Impose requirements that limit rollovers and multiple borrowing to repay (“lend-to-learn” models) decrease risk of over-indebtedness • Certain business models based on high loss rates • Require enhanced monitoring of loan portfolio, particularly where (for example, large late fees relative to size of loan) automated credit scoring is utilized • Poor practices such as rolling over loans or • Apply product design and governance rules to digital microcredit—that encouraging multiple borrowing is, design process and customer acquisition plans should ensure that potential harms and risks to consumers are considered and mitigated • Abusive debt collection practices utilizing mobile phone and social media data to contact relatives, • Adapt debt collection rules to prevent abusive debt collection practices friends, and colleagues utilized by digital lenders 54   Consumer Risks in Fintech TABLE 3, continued RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE Algorithmic scoring • Apply fair treatment and anti-discrimination rules to algorithms 64 • Biased outcomes due to poor algorithm design, • Require appropriate procedures, controls, and safeguards during incomplete or unrepresentative input data, biased development, testing, and deployment of algorithms to assess and input data manage risks related to bias and discrimination • Discrimination based on proxies reflecting sensitive • Require regular auditing of algorithmic systems by external experts attributes • Ensure transparency to consumers regarding use of algorithms • Consumers unaware or powerless regarding use of • Provide consumers with the right not to be subject solely to automatic algorithm processing and the right to request human intervention • Regulators lack technical expertise to evaluate algorithmic systems; proprietary nature of algorithms Regulatory perimeter (cross-cutting issue) • Establish activity-based framework covering all providers of digital 67 • Unlevel playing field for different types of providers, microcredit (banks, MNOs, non-bank lenders) so that activities with the with often weaker rules for non-bank lenders same risks are covered by the same rules • Regulatory gaps for app-based lenders, who may • Where activity-based approach not feasible, be opportunistic and build not be covered by any regulatory authority and/or off of existing rules and powers to cover non-bank microcredit providers may be based in another country • Coordinate with domestic and international regulatory authorities • Consider regulating domestic agents and intermediaries of foreign fintech companies • Pursue complementary, non-regulatory measures, including industry codes of conduct and working with mobile platforms to establish and enforce rules in key areas for app-based lenders tive, particularly by incorporating insights on consumer or monthly basis depending on the provider or product. behavior, will be important. As technology and business Fees for third-party charges, such as cash-out fees by an models continue to evolve rapidly, policy makers will MNO or fees for bundled products, are not clearly com- need to balance between providing flexibility for innova- municated to consumers. As a result, it is difficult for con- tion with the need for clear, prescriptive rules for certain sumers to understand the full costs of a digital microcredit elements of disclosure. Obtaining a better understanding product or to compare across providers easily, difficulties of industry practices and providing ongoing and evolv- that can be made greater by the remote and speedy ing guidance to industry is a useful approach, rather than method of acquiring such credit via a digital channel. moving too quickly to issue rigid rules. Regulatory approaches to address lack of complete information on pricing a)  Lack of adequate information Similar to paper-based disclosure, digital microcre- Consumers often face a lack of key information when dit providers could be required to provide total cost obtaining digital microcredit products. Full information indicators. Research on digital microcredit has shown on cost and relevant T&C is particularly incomplete for that presenting TCC (as opposed to showing fees indi- digital microcredit products. A 2015 survey of regulators vidually, with no sum indicating total cost) results in in 15 developing countries found that limited disclosure consumers being 64 percent more likely to choose the of costs was the highest market conduct concern for reg- lower-cost loan product.265 Total cost indicators such as ulators with respect to digital microcredit.264 APR or TCC can be used to capture all known up-front and recurring costs over the life of a digital microloan, Risk: Lack of complete information on pricing including costs for required third-party services. Partic- Pricing for digital microcredit products is very often ularly given the short-term nature of digital microcredit, incomplete and non-transparent. Issues that commonly policy makers should consider which metric (APR or TCC) arise include pricing for digital microcredit being por- is more appropriate and useful to consumers. Though trayed in the form of an interest rate, finance charge, or APR is typically preferred, TCC (a monetary figure) may a combination of the two. Finance charges are often not be more useful in the case of short-term credit.266 conveyed separately from repayment of principal. Total cost metrics such as APR and TCC are often not pro- In either case, total cost indicators would need to be vided. Repayments may be presented on a daily, weekly, calculated in a consistent manner and displayed prom- Digital Microcredit   55 inently in a digital context. APR and TCC are often nels (including both internet platforms and mobile apps), required to be emphasized in paper-based disclosures. with the intent to ensure respect for the rights of bank cus- Such emphasis can be replicated in mobile disclosure— tomers, in particular in the access to precontractual and for example, by highlighting APR or TCC visually and contractual information.270 requiring that it be included on the same screen with headline prices. It may be worthwhile for regulators to be more pre- scriptive regarding which specific T&C are considered In addition to total cost indicators, a clear breakdown key and must be disclosed in this summary. Guidance of fees is likely to be important. Consumer focus groups on digital credit from FinCoNet states that providers have shown that a price breakdown or summary of charges should be required to provide a summary of key infor- is very beneficial to consumers’ understanding of personal mation to consumers including specific features such as loans.267 In particular, finance charges should be displayed TCC, APR, and repayment amounts, risks, such as conse- separately from repayment of loan principal. Research has quences of rollovers and late repayment, and their right shown that separating financing fees from loan principal to obtain further information or recourse.271 When dis- repayments improves consumer borrowing decisions as closing risks, risks should be given equal prominence as evidenced by a decrease in default rates.268 Charges for benefits. For example, the Bank of Lithuania requires that bundled services should also be disclosed separately. advertisements not show benefits unless they are equally visible as potential risks.272 Information on bundled prod- Risk: Inadequate access to key information on ucts should also be provided. In Pakistan, one of the larg- terms and conditions est digital credit providers conducted focus groups with T&C are often not easily accessible. Given the limited consumers in order to identify the main T&C to focus on space available to convey information via mobile chan- disclosing, such as risks of being reported to the credit nels, some providers cherry-pick appealing information bureau or not being able to graduate to a higher credit to disclose, providing incomplete information on risks or limit. The provider itself noted that it would be benefi- other obligations. Where full T&C are made available, a cial to have prescriptive rules on what specific key T&C common practice among digital microcredit providers is must be actively disclosed to the consumer, tailored to to provide a link to full T&C to be found online. This poses the particular risks and vulnerabilities of local consumers a significant barrier to feature phone users to access of digital credit products.273 such information, as well as an inconvenience to smart- phone users in the middle of a transaction. In addition, Digital channels also provide the opportunity to craft T&C found online are often long and full of complex legal messaging regarding key T&C that is more tailored language and technical terms, making the information than with static paper-based disclosure. For example, difficult for consumers to understand. T&C may also be providers can highlight risks specific to the particular user difficult to store and access at a later date. or product being purchased, such as the risk of variable interest rates. Regulatory approaches to address inadequate access to key information on terms and conditions Full T&C should also be made accessible after the dig- Requiring a summary of key T&C to be disclosed within ital loan transaction is completed. In Australia, ASIC the channel being used to access the digital microcre- guidance on good practices for digital disclosure notes dit product would help lack of awareness about T&C. that clients should be able to keep a copy of disclosed Merely linking to full T&C elsewhere could be insufficient, information so that they can access the information in the although access to full T&C should be provided prior to future. This can include either the ability to save a digital conclusion of the transaction. For example, when conduct- copy, or provision of a hyperlink to disclosed information ing sales of retail banking products and services via digital on a website that continues to be accessible for a reason- channels, financial institutions in Portugal are required to able period of time.274 “prominently present information on the basic features of the banking product or service and on other elements b)  Poor format of disclosed information deemed relevant, such as fees and expenses that may be applicable, on the main screen or webpage of the Disclosing information in an engaging format is espe- marketing platform, using larger characters, information cially critical in digital microcredit’s digital context. Key boxes, pop-ups, simulations, overviews or other similar information may be difficult to find or hard to understand. means.”269 In addition, BdP requires credit institutions to Particularly with respect to feature phones, practical lim- report to BdP information on the marketing of consumer itations on the space to convey information as well as the credit products initiated and concluded via digital chan- ability use different design formats pose a challenge to 56   Consumer Risks in Fintech transparency. Consumers’ attention span may also be more mat or manner that facilitates comprehension. Several limited, combined with a desire for rapid transactions. challenges arise due to the nature of the digital channel. Space is limited to convey all information fully. The basic Risk: Lack of standardized format for costs technology of feature phones limits the design elements A particular issue with respect to digital microcredit that can be used to convey information. Mobile channels seems to be inconsistent practice toward disclosing do not allow for further explanations about key T&C that costs. As stated above, costs associated with digital consumers may find confusing. These challenges are microcredit are disclosed as rates or monetary figures and compounded by the behavioral tendencies of consumers, using a variety of repayment periods. The proliferation of who already tend to pay less attention to T&C for short- different and sometimes complex pricing methods can be term loans.277 confusing for consumers and, in some cases, is used by providers to hide fees. In addition, consumers may not be given the ability to retain information. Retention of disclosed information is Regulatory approaches to address lack of important as a reference for consumer understanding of standardized format for costs their rights and obligations and as evidence in the case Policy makers could establish greater standardization of a complaint or dispute. This risk is compounded when regarding the presentation of fees for digital micro- information is provided via USSD on feature phones with credit. While there are many different business models small screens or is available only on a website that may for digital microcredit, as well as differing pricing meth- not retain the version of the information originally given ods tied to these various models, providers should not to the consumer. take advantage of complex and impenetrable pricing. Similar to issues that arose in the microfinance industry a Regulatory approaches to address poor format decade ago, when different pricing models were some- of terms and conditions times employed to confuse and mislead consumers, As a general principle reflecting international good greater standardization is needed throughout the digital practice on disclosure, communications from FSPs to microcredit industry to improve transparency. Consumer consumers should be in plain and easily understand- research on digital microcredit in Kenya found that dis- able terms and not misleading, regardless of the chan- playing cost information in a consistent way made con- nel being used to communicate. Disclosure of T&C for sumers more likely to choose the cheapest option.275 digital microcredit products should therefore be in plain language without confusing technical jargon, particularly Rules will need to strike a balance between more given that users of digital microcredit products typically standardized presentation and terminology for digital have lower financial and digital literacy. For example, rec- microcredit pricing while still allowing for innovation ognizing that paper-based disclosures do not match the and differentiation. For example, in addition to requir- current reality of consumers engaging via digital channels, ing disclosure of total cost indicators along with a break- the FCA undertook an initiative (called “Smarter Consumer down of fees, presentation by repayment period could Communications”)278 to consider the changes required for be standardized (based on different categories of digital effective digital disclosure that allowed for innovation while credit products). Terminology used for fees could also be clarifying compliance with existing rules. This initiative was made more consistent across providers, in particular any driven partly by the need to provide clarity to firms regard- fee charged that is the equivalent of a finance charge. ing acceptable disclosure practices among innovative new Rules could be considered on the general order in which communications approaches. As part of this initiative, the different types of fees and charges are displayed. The FCA emphasized that providers should work together to ITU-T Focus Group on Digital Financial Services suggests develop consistent terminology and reduce the complex- that regulators establish standard definitions for the cost ity of language and technical jargon. and fees of digital credit, including all bundled services; require disclosure in line with these standard definitions Consideration may also be required regarding how to ensure consistency across offerings; and require clear, graphic elements affect readability, particularly with conspicuous, and understandable disclosure of financial respect to digital channels. In Portugal, best practices and other consequences of early, partial, late, or non-re- from BdP applicable to the sales of retail banking prod- payment of a digital loan.276 uct and services via digital channels include that financial institutions “evaluate the use of graphic elements such as Risk: Poor format of terms and conditions font size, color, icons and images in all information media, At a broader level, information on the key T&C of digi- including on the screens of the marketing platform and tal microcredit products is often not conveyed in a for- in advertising, ensuring that those elements are not likely Digital Microcredit   57 to affect the readability, understanding, and prominent of available tools such as a hotline or live chat, chatbot, or information.”279 other interactive tools.284 Existing requirements on disclosure via paper-based c)  Timing and flow of disclosed information formats—that is, page length, font size, use of KFSs— will need to be appropriately adapted for mobile chan- Risks to consumers nels. As noted above, a summary of key T&C for digital The timing and flow of information disclosed via digi- microcredit can be provided directly to potential borrow- tal channels can impede transparency. Key information ers. It will be important for such summaries to be designed such as pricing may be provided only after a consumer well and user-friendly, and for information to be conveyed completes a digital microcredit transaction. Consumers in a manner that increases the likelihood of consumers may not be given sufficient time to review a mobile screen paying attention to such information. A European Com- before it times out. Less appealing information may be mission behavioral study on digital sales of retail financial de-emphasized. More broadly, user interfaces on mobile services found that well-laid-out, ordered information had phones may be challenging to navigate, hampering effec- a substantial positive effect on consumers’ choosing more tive disclosure. However, digital channels also provide optimal products in a test environment, and the positive certain benefits that can be leveraged to enhance trans- impact actually proved greater on mobile phones than parency by making disclosure more “active” for users. desktop channels.280 Consumer testing on disclosure for digital microcredit in Kenya found that summarized, sim- Regulatory approaches pler versions of T&C led to better comprehension and more searching for products from other providers, a pos- The order and flow in which information is provided itive outcome since one of the objectives of disclosure is can enhance transparency and comprehension. As to increase comparison shopping.281 noted by the FCA, it can be beneficial to approach dis- closure as a “digital journey” and use an engaging digi- Adapting (paper-based) KFS requirements for mobile tal format to help consumers progress through the steps channels could involve standardizing presentation in of a transaction. 285 ASIC guidance on good practices for order to highlight key information in a structured and digital disclosure notes that “provider(s) should consider consistent manner. Information could be broken up into whether the disclosure flows logically in a way that aids bite-sized chunks that are easier for consumers to digest understanding of the product.”286 Appropriate promi- and that are grouped and ordered in a consistent manner nence should be given to each aspect of a product and across providers (for example, by fees, conditions, risks, disclosed information should not divert consumers away and so on), in order to achieve similar benefits from paper- from less appealing information. based KFSs. The FCA has asked providers to do more to incentivize consumers to engage with information One approach would be to make mandatory the timely delivered in a digital environment, including by layering disclosure of pricing earlier in the transaction process. information as a means to guide consumers through their ITU-T Focus Group on Digital Financial Services suggests journey in a way that enables them to digest each part that regulators require disclosure of fees prior to the com- easily, rather than including all information up front.282 For pletion of a transaction, with the option to cancel the example, summary information can be included up front, transaction after the disclosure.287 In Kenya, the CAK iden- with more detailed information included in secondary lay- tified a particular issue with consumers not being aware of ers in a menu. charges for their digital loans (and other transactions con- ducted via mobile wallets) due to the fact that providers To counterbalance the limitations of digital disclosure, were not disclosing the cost of such transactions until after consumers could be given easy access to off-line chan- the consumer accepted the transaction on their mobile nels to obtain further information as well as the means device. The CAK therefore issued guidelines requiring all to access disclosed information for future reference. providers of digital financial services to disclose all applica- The Center for Financial Inclusion suggests that provid- ble charges to customers for a mobile money transaction ers offer consumers channels to contact a provider repre- (including microloans, money transfers, and microinsur- sentative (for example, via a call center, online chat, or an ance) prior to completion of the transaction. The CAK agent/branch location) to ask questions and clarify T&C chose not to be overly prescriptive; rather, they gave prior to agreeing to T&C.283 For example, when conduct- general guidelines that providers should disclose what ing sales of retail banking products and services via digital charges would be incurred, give consumers an opportu- channels, financial institutions in Portugal are required to nity to cancel, and provide a receipt afterward. The CAK assist customers to obtain further information by making also reviewed samples of disclosure messages to be used 58   Consumer Risks in Fintech by providers. 288 As a result, a survey of users of digital from increased airtime costs, particularly for low-income financial services in Kenya found that the percentage of consumers. survey participants who could correctly estimate the cost of their last M-Shwari loan of KSh 200 went up from 52 Beyond disclosure at the point of sale, digital channels percent before the CAK order to 80 percent afterward.289 can be leveraged during the duration of the loan term to nudge consumers toward healthier behaviors. For Similarly, key T&C could be provided earlier in the example, text alerts and notices on mobile apps can be transaction process and given prominence. Key T&C used to send direct, timely reminders to borrowers regard- should obviously be provided before a consumer accepts ing upcoming due dates for repayments. Though related a digital loan offer. In Kenya, consumer testing on disclo- to banking alerts and not digital microcredit specifically, sure of information for digital microcredit found that just research by the FCA found that text alerts or notices via moving the option to view T&C from the last option in the mobile banking apps that were triggered automatically main menu for a digital loan product to its own screen were effective in changing consumer behavior and reduc- increased consumer viewing of T&C from 9.5 percent to ing overdraft charges.294 Policy makers could consider 23.8 percent.290 similar requirements with respect to digital microcredit, in order to help consumers avoid late payment penalties or Integrating behavioral insights into regulatory ap- default. Providers could be required to send texts or dig- proaches can help to encourage consumers to engage ital alerts seven days before loan repayments are due or with information provided. Regulators who have taken for missed payments, accompanied by concise warnings action to adapt consumer protection approaches for dig- on the risks of continued late repayment. This practice has ital credit specifically cite the need to incorporate behav- already been observed among more responsible digital ioral insights into their approaches. While less information credit providers.295 can be conveyed via mobile channels, such channels pose an opportunity to allow consumers to review information at their own pace and in a certain order. These character- d)  User interfaces istics of digital channels can be taken advantage of. For Risks to consumers example, for sales of retail banking products and services User interfaces for digital microcredit are often not through digital channels, financial institutions in Portugal user-friendly and can be ineffective in assisting con- are required to ensure that the selling process proceeds sumers to review and understand information. Infor- to the next stage only after customers confirm that they mation may not well adapted to suit different types of have read to the end of mandatory information docu- mobile screens—for example, using apps on low-end ments, and financial institutions should use visual and tex- smartphones, making information literally difficult to read. tual techniques to encourage customers to do so.291 Menus may be complex and confusing to navigate, lead- The dynamic nature of mobile phones could similarly be ing to consumers accepted terms without reviewing them leveraged to require consumers to confirm or acknowl- or making mistakes in their transactions. Menus may also edge key information before moving forward in the be in English or a formal version of the local language, transaction process. In the aforementioned consumer making them more difficult for low-literacy consumers to study in Kenya, requiring an opt-out approach to view- understand. ing T&C increased the rate of viewing from 10 percent to 24 percent, and the resulting delinquency rate was 7 per- Regulatory approaches cent lower for borrowers who read the T&C.292 Similarly, Requirements could be used to ensure that user inter- consumers could be required to confirm or acknowledge faces are clear, user-friendly, and easy to navigate. The APR, TCC, or repayment amounts or confirm that they Center for Financial Inclusion suggests that user inter- understand conditions or risks associated with a digital faces provide step-by-step instructions in a major local product before moving forward in the transaction process. language.296 ASIC guidance notes that digital disclosure should be easily navigable, providing a practical example Measures could be used to ensure that consumers are of a menu feature in an app that allows consumers to go given adequate time to review information via digital immediately to sections of the disclosure that are most channels. The Center for Financial Inclusion highlights the important to them.297 The same standards in quality of need for providers to build in time for consumers to review disclosure should apply across different types of mobile T&C by having appropriate time limitations to review mul- phones and platforms. Additional methods to improve tiple screens in a mobile app or USSD menu.293 However, the user interface include designing interfaces and pro- consideration should be given to any negative impacts cesses to reduce keystroke error; applying human-cen- Digital Microcredit   59 tered design; providing key instructions as needed within out.” In fact, research in Kenya has shown that many first- the transaction flow (more relevant for smartphones); and time users of M-Shwari (the most popular digital credit providing full transaction details on one screen to finalize product) tried it out for “no reason at all.”301 the transaction at the end stage.298 Providers may use marketing techniques that exploit Similar to consumer testing of KFSs, testing of user behavioral biases to entice consumers to borrow more interfaces for the provision of digital microcredit via than necessary. Examples include marketing that encour- mobile channels would also be highly beneficial. The ages consumers to borrow the maximum amount possi- G20 Task Force suggests that policy makers encourage ble, suggests that loans can be repaid easily, or trivializes FSPs to test digital disclosure approaches to ensure their the seriousness of a loan. Providers may market loans by effectiveness, taking into account factors such as different framing them based on the maximum sum that can be screen sizes and communication formats.299 The FCA has borrowed. “Interviews with consumers and lenders con- also emphasized that firms should use behavioral insights firmed that many customers borrow at the suggested loan to create more effective product information for consum- limit rather than propose a lower sum that would be suffi- ers and test communications with real consumers. To cient to meet their immediate needs.”302 A study in Latvia complement the measures suggested above, providers found that digital lenders encouraged consumers to dis- could also be required to provide guidance and training close a higher income in order to obtain a larger loan.303 to consumers on user interfaces, including via agents. Aggressive advertising via “cute messaging” was noted by FinCoNet as undermining the seriousness of entering into a credit contract and distracting consumers from the MARKETING PRACTICES VIA 4.3  high costs of a loan.304 REMOTE CHANNELS Advertising for digital microcredit may be misleading a)  Risks to consumers or targeted at vulnerable consumers, and both risks Marketing practices employed by some digital micro- may be enhanced by the use of technology. A Euro- credit providers pose several risks to consumers. Com- pean Commission behavioral study on the digitalization of mon issues include digital microcredit being aggressively marketing and distance selling of retail financial services marketed to consumers, such as via unsolicited, preap- highlights several poor practices that also apply to digital proved offers, or using misleading or incomplete infor- microcredit.305 These include emphasizing benefits while mation in marketing materials. Marketing practices may giving lower prominence to costs; omitting or making also exploit behavioral biases by leading consumers into key information such as risks or costs difficult to find; and making impulsive decisions to take up loans that they do presenting unrealistic offers (such as loans that are almost not need or larger loans than necessary. The negative or completely free of charge) while failing to mention the repercussions of aggressive or misleading marketing can conditions attached to such offers. In addition, with big be heightened by the remote nature and ease and speed data and digital channels, it is now easy for providers to of digital transactions, resulting in poor decision-making tailor the content, timing, and framing of offers to con- by consumers. sumers’ specific habits, needs, and concerns. While such capability can be beneficial for consumers, irresponsible Push marketing and unsolicited offers used by some providers can use such capability to target vulnerable digital microcredit providers may encourage consum- consumer segments—for example, by targeting low-in- ers to borrow on impulse, without prior intention or a come households or targeting marketing at times when clear purpose for the loan. In general, there is evidence consumers are vulnerable to making poor decisions, such that providers drive demand for high-cost, short-term as weekend evenings. credit more than consumers, more so than in a tradi- tional financial services context.300 With respect to digital Finally, the remote nature of digital channels combined microcredit specifically, aggressive marketing techniques with the rapid speed of digital transactions increase include push marketing. The business model for mobile- the vulnerability of consumers to aggressive market- based lending is often based on recurring invitations for ing practices. The lack of human interaction with pro- prequalified credit sent to existing or prospective con- vider staff, combined with the fact that consumers may sumers via unsolicited text messages or phone calls. Such be transacting from the comfort of their own homes, may practices exploit behavioral biases, such as present bias result in consumers taking digital loans less seriously. In and loss aversion, and may lead consumers to take out addition, digital microcredit can be advertised as “one- loans without considering whether they really need them click” or nearly automatic. These factors may lead con- or are able to repay them, as they are afraid of “missing sumers to make hasty and poor decisions. 60   Consumer Risks in Fintech b)  Regulatory approaches vices between 23:00 and 07:00.312 In Belgium, advertising that focuses on the ease of obtaining credit is prohibit- Policy makers have increasingly recognized that policy ed.313 In the United Kingdom, payday lenders are specifi- action is needed to curtail the more exploitative prac- cally required to refrain from advertising that trivializes the tices of digital lenders. For example, the Organisation for nature of payday loans, including by encouraging nones- Economic Co-operation and Development suggests that sential or frivolous spending or unacceptably distorting “measures should be taken to identify consumer charac- the serious nature of such loan products.314 In Portugal, teristics (e.g. behavioral biases or vulnerabilities) that have BdP requires that financial institutions refrain from using the most effect on borrowing decisions that consumers terms such as “preapproval” or “pre-acceptance” during make and which measures can be taken to mitigate these the sales process, as such terms give the impression that effects.”306 This approach should be applied to digital credit is easy to obtain.315 microcredit in particular. A range of policy approaches can be employed, from less interventionist (that is, requiring Steps could also be taken to slow down the process of warnings) to more interventionist (that is, banning push transacting digitally to allow consumers more time for marketing). reflection and deliberation. In consumer testing aimed at slowing down the transaction process via digital chan- Policy makers in several countries have taken proactive nels, adding intermediate steps or screens that customers action by requiring providers to warn consumers about must pass through, such as adding a “review screen” in the risks of short-term, high-cost credit. Nudges such as the purchasing process, successfully resulted in consumers warnings to consumers have been found to help improve making more optimal loan choices.316 FinCoNet suggests decision-making.307 FinCoNet suggests the inclusion of that supervisors establish technological requirements that specific warnings regarding the costly nature of short-term, allow a thorough analysis of the information by consumers high-cost credit, the risks associated with short maturity, and limit the risks of impulsive credit decisions, including and the risks and consequences of over-indebtedness.308 through “restrictions that prevent consumers from moving For example, short-term credit providers in Armenia forward in the borrowing process without checking the rel- must add legislated warnings to their disclosure material evant information on the STHCCC [short-term, high-cost warning customers about the high cost of the credit and consumer credit]” and “measures that aim to ensure that encouraging them to shop around and assess their abil- consumers go over all relevant information on the STH- ity to repay. In Australia, payday lenders must display a CCC (e.g. minimum reading time, compulsory scroll down, warning that borrowing small amounts of money can be questionnaire on the main features of the STHCCC).”317 expensive, suggest alternatives to taking out such loans, For example, in Paraguay, lenders utilizing digital channels and provide the contact details for resources on debt must provide consumers with a final option of rejecting or help and counseling and financial education. Similarly, in accepting the T&C prior to the conclusion of the loan con- the United Kingdom, high-cost, short-term credit must tract and disbursement.318 Cooling-off periods could also include a prominent risk warning and redirect consumers be considered that are proportionate to the short tenure of to resources from the authority in charge of debt advice.309 digital loans (for example, one day for a one-month loan).319 Such approaches could be applied to digital microcredit as well as a form of short-term, high-cost credit. The presentation of loan options should be beneficial to consumers and not exploitative. FinCoNet guidance Rules could be used to ban explicitly sales practices suggests that supervisors consider taking action to restrict that focus on the ease of obtaining credit, trivialize the use of default options for digital credit and to prevent credit, or target vulnerable consumers. FinCoNet sug- or limit the use of illustrative examples that induce con- gests preventing or limiting the use of statements that sumers to borrow higher amounts—for example, by using induce consumers to take out short-term, high-cost credit the maximum amount that a consumer can take out as a to solve financial problems or purchase nonessential benchmark.320 For example, in Portugal, financial institu- goods or that divert consumers attention from the seri- tions are required to refrain from using pre-ticked boxes ousness of taking out such loans.310 The Center for Finan- or graphic elements to lead customers to choose certain cial Inclusion’s Standards of Protection for Digital Credit options when conducting sales of retail banking products note that marketing should not employ predatory sales via digital channels.321 Rather than marketing that defaults techniques such as language implying “use it or lose it” to preselecting the largest loan size, providers could be opportunities or push messaging sent after working hours required to provide a range of options for consumers to or more than once a week.311 In Latvia, amendments to choose from. A further step would be to require “smart the Consumer Rights Protection Law specifically prohibit defaults” where consumers are automatically defaulted to online consumer credit providers from selling their ser- the best option for them. Digital Microcredit   61 Finally, policy makers could consider outright bans or to vary significantly across providers, the upper range of limitations on preapproved, unsolicited offers for dig- pricing can be quite high. A review of digital microcredit ital microcredit. Such rules already exist more broadly, products in Kenya found that APR ranged from 12 per- such as rules in the European Union restricting the mar- cent to 621 percent.328 Pricing for one-week loans tends keting of services that consumers have not solicited.322 to be the highest when translated into APR, with non-bank In the case of digital microcredit, MNOs or other entities and app-based lenders charging higher rates. Some app- may operate on the basis of obtaining broad consent for based lenders may also ask for a deposit or registration/ marketing further products to customers. 323 Rules could membership fee before a consumer is eligible for a loan. be put in place to restrict the breadth of such consent— for example, by requiring that consumers actively opt in Digital loans may be mass marketed to consumers with specifically to the marketing of digital microcredit. At a little assessment of a consumer’s circumstances or abil- minimum, consumers should also be given an easy option ity to repay. Certain digital lenders employ a “lend-to- to opt out of push marketing of digital microcredit. learn” approach, where initial rounds of credit offers are intended to gather more information about consumers More generally, good practices in advertising and sales to strengthen internal credit scoring models. With such should be applied to digital microcredit, with adap- business models, there is little attempt to assess whether tations for digital channels. For example, qualifying a digital loan product is appropriate or suitable for the information should be placed near claims in advertising. needs or circumstances of a consumer. As a result, inap- Disclosures should be clear and conspicuous regardless propriate products are marketed to and taken up by con- of the device or platform a consumer is using to view an sumers, and loan defaults can be expected to be high, advertisement. Including total cost metrics such as APR at least during initial stages as algorithms are refined.329 or TCC could be required for advertisements for digital Anecdotal information from digital lenders indicates that microcredit. Sales incentives for provider staff and repre- some have default rates as high as 40 percent to 50 per- sentatives should be designed not to incentivize behavior cent for their first round of loan offers, which are sent that may harm consumers.324 At a practical level, regulatory blindly to a large number of prospective borrowers.330 gaps may need to be addressed where existing advertising In addition, the business model of certain digital lenders rules do not apply to advertising and marketing via new (sometimes referred to as payday lenders) is openly pred- digital channels such as social media campaigns. atory, based on high loss rates and generation of revenue via late payment fees. In addition to increasing consumer risk of over-indebtedness, the negative impact on con- 4.4  UNFAIR LENDING sumers’ credit histories affects their ability to access credit or employment in the future. a)  Risks to consumers The design of and business model for certain digital Poor practices may be used to roll over loans or microcredit products pose increased unfair lending encourage multiple borrowing. Digital lenders often risks to consumers that require direct policy responses encourage customers to roll over loans or to take out beyond disclosure rules. Broadly speaking, “the design more loans or larger loans. For example, a review of 68 of many financial and new fintech products is inherently digital credit products in India, Kenya, Nigeria, Tanzania, complex… [c]ompanies can use strategies, such as price and Ghana found that nearly half of such products (32 discrimination, price obfuscation, product bundling and products) advertised reward programs that incentivized complexity and promotion of brands leading to compli- certain behaviors from consumers, such as continued use cated markets and products that are difficult or impossible of the loan product.331 In addition, the same study found to compare.”325 As discussed below, such issues are highly that some digital credit providers extend loan terms auto- relevant for digital microcredit products.326 matically when payments are missed, with accompanying penalties. Particularly given that many digital loans have Digital microcredit products are often characterized by flat facilitation fees, providers are incentivized to focus on very high fees. For example, high flat fees based on the the quantity of loans disbursed to maximize returns. As a full amount of the microloan may be charged regardless result, consumers may end up with multiple digital loans, of how soon a borrower repays, resulting in the equivalent sometimes taking out one digital loan to pay off another of a very high interest rate given the short-term nature and one, resulting in an endless cycle of borrowing. small loan size of digital microcredit. An Alliance for Finan- cial Inclusion survey found that the costs of digital micro- Some providers use aggressive or abusive debt collec- credit products were typically quite high, often in excess tion practices unique to digital microcredit. Providers of 100 percent APR.327 While pricing for digital loans tends may reserve the right to post about loan defaults on a 62   Consumer Risks in Fintech borrower’s social media page, contact a borrower’s con- information about a consumer’s financial position and tacts on their mobile phone regarding late payments consider whether entering into the credit agreement is or defaults in order to shame the borrower into repay- a “sound decision” for the consumer. Similarly, in South ing, or harass a borrower via numerous and excessive Africa, providers are prohibited from “reckless lending” reminders sent to borrower’s mobile phone. For example, and from entering into a credit agreement without first the National Privacy Commission in the Philippines has taking reasonable steps to assess a consumer’s financial reported receiving about 1,000 complaints from borrow- circumstances. A credit agreement is considered reckless ers who used online lending apps, particularly regard- if the provider did not conduct such an assessment, if the ing use of customers’ personal data to contact relatives, consumer did not understand the risks and obligations of friends, and colleagues to harass and shame delinquent the credit agreement, or if entering into the credit agree- borrowers.332 While in some instances consumer consent ment would make the consumer over-indebted.336 may have been acquired for these practices, such consent is often not informed. Regardless, there should be appro- Some countries employ more prescriptive measures to priate limits on what types of debt collection practices gauge affordability. For example, in Japan, moneylend- digital microcredit providers may utilize that respect the ers are prohibited from lending where the total amount privacy and dignity of consumers. of borrowing exceeds one-third of a consumer’s annual income.337 In Australia, the percentage of certain consum- ers’ gross income that can be used to repay all small short- b)  Regulatory approaches term loans is capped at 20 percent.338 A range of regulatory approaches could be considered to address the above risks, particularly around prod- Some regulators are making limited exceptions for uct suitability and affordability. Many examples exist “lend-to-learn” models, but such exceptions should be of policy actions taken in other countries to address the considered with caution, given the potential downside risks of short-term, high-cost credit more broadly. Such for consumers if they are inappropriately calibrated. In approaches are highly relevant to digital microcredit. Portugal, for example, providers are required to assess a consumer’s creditworthiness taking into consideration Digital microcredit providers could be required to elements such as age, profession, regular income and assess the ability of prospective customers to repay expenses. However, an exception was made allowing pro- digital loans and to grant digital loans only where viders to estimate indirectly a consumer’s regular income they are affordable to the consumer. The Organisation and expenditures based on other information for loans for Economic Co-operation and Development recom- that are equal to or less than the equivalent of 10 times mends that measures be put in place to “ensure that a the monthly minimum wage.339 Such an exception was consumer’s ability to meet relevant payment obligations is created to allow for more innovative, convenient, and assessed before a transaction is concluded, or before any faster digital microcredit business models. significant increase in the amount of credit. The assess- ment should be based on relevant and proportionate Increasing reliance on automated credit assessments information regarding the consumer, such as income and is also leading regulators to adjust traditional cred- expenses, and the likely costs and risks of the credit.”333 itworthiness requirements by introducing stronger In addition, “[c]redit should not be granted if the credit is requirements on monitoring of portfolio performance. clearly not affordable by the consumer or is likely to have New guidelines on loan origination and monitoring from a significant adverse effect on their overall financial sit- the EBA, which go into effect in June 2021 for financial uation.”334 Many countries already have in place general institutions in the European Union, set out specific require- obligations to obtain and verify information about a con- ments regarding the use of automated models in credit sumer’s financial circumstances. Different approaches can decision-making and creditworthiness assessments.340 The be used to frame this obligation, from principles-based guidelines require that institutions specify the use of any to more prescriptive. The main considerations revolve automated models in creditworthiness assessment and around what a provider is required to assess and against credit decision-making processes in their credit risk poli- what criteria such an assessment should be undertaken. cies and that institutions, when using technology-enabled innovation for credit-granting purposes, should “ensure Principles-based approaches focus on assessing con- the performance of the model, including the validity and sumer affordability. For example, in the Netherlands, quality of its outputs, is continuously monitored and appro- credit providers are required to carry out a creditworthi- priate remediation measures are taken in a timely manner ness assessment of a consumer before entering into a in the case of detected issues (e.g. worsening or deviating consumer credit agreement.335 Providers should obtain from expected behavior).”341 FinCoNet also suggests that Digital Microcredit   63 providers of digital credit should have automated systems at £15; and (3) a total cost cap was put in place taking that allow for prompt detection of signs of deterioration into account all fees, charges and interest, which cannot of consumers’ financial capacity.342 Such approaches are exceed 100 percent of the amount borrowed.350 particularly relevant for “lend-to-learn” models. Specific measures could be taken to limit rollovers and Regulators are increasingly applying product design multiple borrowing in order to decrease the risk of and governance rules and using product intervention over-indebtedness. Policy measures that have been uti- powers with respect to credit products.343 The EBA lized for short-term, high-cost credit and could be applied highlights that it would be good practice for providers to to digital microcredit include imposing a limit of two roll- give further attention to “the risks that consumers might overs for short-term, high-cost credit (United Kingdom);351 face due to the increasing use of digital channels by FIs staggering interest rate caps on short-term loans with a [financial institutions] (e.g. exposing consumers to mar- cap of 5 percent per month on the first loan in a calendar ket practices that exacerbate behavioral biases) when year and 3 percent for all subsequent loans, specifically improving their POG [product oversight and governance] to address roll-over abuse (South Africa);352 or prohibiting processes.”344 Such requirements could be particularly charging an establishment fee if credit is used to refinance relevant for digital microcredit. Product-governance rules another small credit contract (Australia).353 Where loan could require that both the design process and customer terms are extended automatically due to missed pay- acquisition plans for digital microcredit ensure that poten- ments, such an extension should be clearly communicated tial harms and risks to consumers are considered and mit- in advance to consumers, with clear disclosure on related igated. For example, digital microcredit providers could costs. In addition, in Australia, there is a (rebuttable) pre- be required to strengthen customer segmentation345 and sumption of unsuitability if a consumer either is in default to target and sell only those digital microcredit products under another small credit contract or has had two or more that are suitable and appropriate for the interests, objec- other such loans in the previous 90 days. Digital microcre- tives, and characteristics of target segments.346 Prelaunch dit providers could also be required to monitor actively reviews of digital credit products also provide an oppor- levels of over-indebtedness and report such information tunity to examine potential consumer risks and internal to regulators. The Center for Financial Inclusion suggests measures to prevent or mitigate such risks. Digital lenders that providers have a working definition of client over-in- in Ghana are required to present and demonstrate their debtedness and that staff monitor portfolio quality at least product, the identified risks, and risk-mitigation strate- monthly to identify areas with high risks of over-indebted- gies to a panel at the Bank of Ghana for assessment and ness. Such monitoring could apply particularly for those approval.347 In extreme cases, regulators could also lever- loans internally designated as “lend-to-learn” digital loans. age product intervention powers. In Australia, ASIC has employed its product intervention powers to ban a spe- More broadly, policy makers should ensure that rules cific model of short-term lending found to cause signifi- on fair T&C apply to digital microcredit. The ITU-T cant consumer detriment.348 Focus Group on Digital Financial Services suggests that regulators review digital financial service providers’ con- Regulation on pricing has been employed in some tracts with customers on a regular basis for unconsciona- countries, but policy makers should be cautious and ble and unfair terms and practices that should be banned, judicious in utilizing such approaches, given the poten- and that regulators publish examples of such terms and tial to hamper market growth and access to finance. practices to raise public awareness.354 For example, Regulation on pricing can take various forms. A princi- auto-deduction of loan repayments from mobile wallets ples-based approach could focus on requiring that pric- could be considered unfair unless consumers are given a ing practices for digital microcredit be responsible and clear choice to actively opt in. reasonable.349 Some countries have been more prescrip- tive—for example, by capping the amount that providers On a broader level, policy makers could take steps to can charge for late fees or capping interest rates alto- monitor levels of over-indebtedness with respect to gether for short-term, high-cost consumer credit. In the consumer credit, including digital microcredit, on an United Kingdom, research was conducted to determine ongoing basis. This will require obtaining data from all appropriate price caps that would make it unprofitable credit providers in order to have a comprehensive over- for providers to lend to those consumers who would be view of the market. Such data can be obtained from both worst harmed by high-cost, short-term credit. The result- supply-side sources as well as demand-side sources, ing price cap formulation consists of three elements: (1) including via household surveys. Metrics and indicators interest rate and fees cannot exceed 0.8 percent per day will also need to be developed in order to define and on the outstanding principal; (2) default fees are capped track over-indebtedness levels.355 64   Consumer Risks in Fintech Existing rules on debt collection and/or data privacy data used to develop automated scoring systems. Input should be applied to digital lenders, with adaptations data may be incomplete and unrepresentative (resulting to address abusive practices specific to digital micro- in erroneous scoring) or reflect historical bias (influenc- credit. Greater clarity and specificity may be needed ing the algorithm toward biased results). Input data may regarding what are considered abusive and inappropriate also be poorly weighted, overemphasizing certain inputs. debt collection practices to ensure respectful treatment of When such data is used to train algorithms, the predic- borrowers of digital microcredit and appropriate protec- tions emanating from such models may be systematically tion of borrowers’ rights to privacy and dignity. For exam- worse for certain groups and perpetuate existing social ple, in the Philippines, the National Privacy Commission inequalities. Such effects continue in a feedback loop as issued a circular in 2020 that prohibits lenders operating a biased algorithm learns and reinforces its own bias. As online apps on smartphones from harvesting personal highlighted in the 2019 WBG/International Committee information, such as phone and social media contact lists, on Credit Reporting (ICCR) guidelines on credit scoring for debt collection purposes.356 approaches: “A well-intentioned algorithm may inad- vertently make biased decisions that may discriminate against protected groups of consumers. For example, if 4.5  ALGORITHMIC SCORING there are limitations in the data used for model develop- ment, selection bias may occur. If there are limitations in a)  Risks to consumers the methodology used to develop the models, then sta- New and complex algorithms that rely on big data, AI, tistical bias may occur. If historical data are used where and machine learning357 are being utilized to provide social bias was prominent, the algorithm may enforce digital credit.358 Big data analytics are one of the core and amplify the social bias (for example, penalizing along innovations driving digital credit (along with many other racial lines).”361 fintech innovations). Even low-income consumers now have digital footprints associated with them, potentially The results of algorithmic processing can be discrim- drawing from an array of alternative data from sources inatory based on sensitive attributes. Even assuming such as social media, mobile phone usage, internet trans- that input data is not flawed, algorithms may be applied actions and geolocation data.359 Digital credit providers in a manner where information serves as a proxy for sen- are developing and utilizing algorithmic processing to sitive attributes. For example, information such as zip analyze huge data sets covering a wide range of charac- codes or social media contacts may be highly correlated teristics for predictive purposes, such as the likelihood of with sensitive and protected attributes, such as race, eth- default and future repayment behavior. Such tools allow nicity, or gender. As a result, potential customers may be providers to assess vast numbers of potential borrowers unfairly discriminated against based (indirectly) on pro- rapidly, with little to no human interaction, expanding tected attributes as opposed to being evaluated based access to credit for large numbers of consumers, in partic- on their own merits. ular those lacking formal credit histories. There is a lack of transparency regarding the applica- Use of algorithms can give the semblance of objective, tion of algorithms for regulators. Algorithms are often data-driven analysis, but still pose risks to consum- called “black boxes” and are considered proprietary by ers. Such analytics have introduced new manifestations providers. Regulators lack both transparency into the of fair lending and data privacy risks, as algorithms can operation of algorithms and the technical expertise to potentially be embedded with or result in biased results. evaluate such systems. Providers themselves may be “Automated decision systems are not built and used in a unaware of how algorithms work when they are pur- vacuum: humans classify what data should be collected to chased from third parties. As noted in the WBG/ICCR be used in automated decision systems, collect the data, guidelines on credit scoring approaches: “[T]he opaque- determine the goals and uses of the systems, decide how ness of innovative algorithms may raise concerns. When to train and evaluate the performance of the systems, and innovative algorithms are used to assign credit scores to ultimately act on the decisions and assessments made by make credit decisions, providing consumers, auditors, the systems.”360 and supervisors with an explanation of a credit score and resulting credit decision if challenged is generally more Biased outcomes that negatively discriminate may difficult.”362 Challenges in the ability to interpret model potentially arise due to multiple factors. The original inputs, modelling logic, and post-modeling results in design of an algorithm itself can incorporate bias. How- turn make it more difficult to mitigate the potential risk ever, even where the design of an algorithm itself is not of bias and discrimination. problematic, results may still be biased due to the input Digital Microcredit   65 Consumers may not be aware of the role of algorithmic data analytics and AI models produce fair outcomes that processing when credit is denied. They may be unaware comply with applicable laws, including those related to of what factors led to their denial of credit. And even when discrimination.366 consumers are aware of the use of algorithmic scoring, there may be little action that they can take to address Algorithmic accountability refers to the assignment their concerns. While laws such as the US Fair Credit of responsibility for how an algorithm is created and Reporting Act give consumers who are denied credit the its impact on society.367 As noted above, algorithms are right to know what factors were used to make this deci- both complex and proprietary, and directly regulating the sion, it is unclear how such rights translate in the case of actual design of algorithms may be neither practical nor algorithmic processing. Consumers are therefore left in the feasible. Therefore, a commonly suggested approach is to dark, unable to correct any potential errors or understand place greater emphasis and responsibility on the deploy- how to improve their credit scores based on algorithms. ers of algorithms (in this case, digital microcredit pro- viders) regarding the processes by which algorithms are designed and utilized, and to require that potential harms b)  Regulatory approaches arising from algorithmic systems are identified, assessed, There is a limited but growing body of research with documented, and minimized. suggested approaches to address risks to consumers that arise from the use of algorithms. The following Algorithmic accountability centers on principles such as section summarizes emerging regulatory approaches that fairness, explainability, auditability, responsibility, and could be considered by policy makers. It draws from both accuracy.368 Policy makers could reflect such principles measures related to general use of algorithmic process- of algorithmic accountability in regulatory frameworks ing as well as measures specific to big data analytics and and provide guidelines for achieving these principles. As algorithmic credit scoring in the financial sector.363 Com- noted by the G20 Task Force, policy makers should ensure plementary measures will also be needed on the demand that providers have “robust and transparent governance, side (such as algorithmic literacy) and the supply side (such accountability, risk management and control systems as industry standards for algorithms and self-regulation). relating to use of digital capabilities (such as AI, algorithms and machine learning technology). This includes ensuring As an initial step, the application of fair treatment and that the methodology of algorithms underpinning digital nondiscrimination rules to algorithms and algorithmic financial services (e.g., digital financial advice) is clear, processing may need to be clarified and strength- transparent, explainable and free from unlawful and exclu- ened. As noted by the Global Partnership for Financial sionary biases, and with options for recourse where neces- Inclusion: “Policymakers and industry participants should sary.”369 For example, the guidance on big data analytics adopt measures to ensure that… scoring models devel- and AI from the Hong Kong Monetary Authority requires oped using alternative data do not unfairly discriminate banking institutions to ensure that there is an “appropri- against protected groups. The use of alternative data ate governance, oversight and accountability framework that carries forward historical discrimination is either pro- which is established and documented,” “appropriate hibited or restricted.”364 One of the high-level policy rec- level of explainability of the [big data analytics and AI] ommendations from the WBG/ICCR guidelines on credit models,” and proper validation and ongoing reviews to scoring approaches is that the decisions made on the ensure the reliability, fairness, accuracy, and relevance of basis of credit scoring should be explainable, transparent, the models, data used, and results.370 The EBA recently and fair, in particular including that “the data used, and introduced guidelines on loan origination and monitor- the decisions made on the basis of credit scoring, should ing that require financial institutions employing technol- operate within equal opportunity or anti-discrimination ogy-enabled innovations for credit-granting purposes to laws.”365 Where rules are in place on fair treatment and ensure the traceability, auditability, and robustness and nondiscrimination for sensitive categories, policy makers resilience of such models.371 may need to clarify and strengthen the application of these rules to algorithmic scoring. For example, the Hong The WBG/ICCR guidelines on credit scoring approaches Kong Monetary Authority issued a set of guiding princi- recommend that credit scoring models using tradi- ples on consumer protection with respect to use of big tional and innovative techniques be subject to a model data analytics and AI specifically by banking institutions, governance framework. An effective model governance focusing on four main areas: (1) governance and account- framework should consider the following items (among ability, (2) fairness, (3) transparency and disclosure, and others):372 (4) data privacy and protection. The guiding principles • Management of model risk, including the conceptual specifically notes that institutions should ensure that big soundness of the model. 66   Consumer Risks in Fintech • Assessment of unintended consequences, such as cas- For example, the EBA guidelines on loan origination cading risks and the disregard of protected character- and monitoring require that when using automated istics (for example, race, gender, and religion). models for creditworthiness assessment and credit decision-making, financial institutions should have in • Model ownership within a business context. place internal policies and procedures to detect and • Regular reviews and back-testing of models, including prevent bias and ensure the quality of input data. validation of model performance, such as receiver-op- Financial institutions should also have internal policies erator-characteristics curves and/or precision-recall and procedures to ensure that the quality of model out- curves. puts is regularly assessed, including back-testing the per- formance of the model, and control mechanisms, model Operationalizing the principles of algorithmic account- overrides, and escalation procedures within the credit ability requires that appropriate procedures, controls, decision-making framework, including qualitative risk-as- and safeguards be put in place during the devel- sessment tools and quantitative limits.375 opment, testing, and deployment of algorithms to ensure fairness and accuracy. For example, deployers In order to ensure auditability and explainability, the (and, by extension, any entities to which development of controls and safeguards noted above will need to be algorithmic scoring is outsourced) could be required to documented well. In the case of automated credit scor- establish clear strategies to avoid creating or reinforcing ing, providers could be required to document the rationale unfair bias in AI systems. Processes could be required to for algorithms, the variables used in such algorithms, and test and monitor for potential bias during the develop- the justification for using such variables. The process of ment, testing, and deployment stages. Methods that can assessing matters such as training data, decision variabil- be employed include impact assessments, error testing, ity and testing for bias, identifying areas for improvement, and bias testing.373 More broadly, incorporating inclu- and implementing corrective action could all be required sive design principles and diverse, cross-functional work to be documented as well. For example, the EBA guide- teams can also be beneficial. Practical examples of actions lines on loan origination and monitoring require institu- that have been suggested in the international literature tions to have adequate documentation of automated include the following: 374 credit scoring models that covers methodology, assump- tions, and data inputs; an approach to detecting and pre- • Assess possible limitations stemming from the compo- venting bias and ensuring the quality of input data; and sition of training data. the use of model outputs in the decision-making process • Consider the diversity, representativeness, and reliabil- and the monitoring of these automated decisions on the ity of training data. overall quality of the portfolio or products in which these models are used.376 • Identify for which groups there is the greatest concern regarding training-data errors, disparate treatment, Where digital credit providers outsource algorithm and impact, and test for specific groups or problem- development to third parties, providers could be atic use cases. required to ensure that appropriate controls were • Assess whether possible decision variability can occur used by developers during the development process. under the same conditions and, if so, what the possible Outsourcing of algorithmic scoring processes to third causes of this are. parties should not absolve digital credit providers of all • Ensure that an adequate working definition of fairness responsibility. For example, the European Central Bank is applied in designing AI systems, and that metrics notes that, where a provider uses credit scores provided are used to measure and test the applied definition by a third-party vendor using alternative data sources and of fairness. credit scoring methodologies, authorities should assess the capacity of the provider to understand the credit scor- • Determine how potential bias will be detected. ing process and data sources and to audit the outsourced • Determine how and when the algorithm will be tested credit scoring activities.377 Providers could also be made and who the targets will be. directly responsible for regular testing and monitoring for bias during the ongoing deployment of the algorithm.378 • Determine the threshold for measuring and correcting for bias in the algorithm. Algorithmic systems could be required to undergo reg- • Identify potential bad outcomes and what steps will be ular auditing and assessments by external experts.379 taken if bad outcomes are predicted to arise from the Assessments would evaluate input data, training data, deployment of the algorithms. design and testing processes, decision factors, and output Digital Microcredit   67 decisions for potential negative impacts.380 Assessments cessing for the data subject.”385 In particular, consumers could involve running algorithmic systems through test- could be informed about any adverse action taken against ing of hypothetical scenarios. Assessments could identify, them based on automated decision-making and the key assess, and document potential negative impacts and characteristics that led to such decision.386 For example, suggest appropriate risk-mitigation measures to address financial institutions in Portugal are explicitly required to any flaws found. For example, a draft data privacy bill in inform bank customers of situations where their creditwor- the United States (the Consumer Online Privacy Rights thiness assessments rely exclusively on automated deci- Act) requires that entities engaging in algorithmic deci- sion-making processes, particularly AI models, in order to sion-making to facilitate credit opportunities annually allow customers in such situations to exercise their rights conduct an impact assessment (by either an external, under the GDPR.387 independent auditor or researcher) that: In addition, consumers could be empowered with • Describes and evaluates the development of the enti- further rights, in particular the right to challenge the ty’s algorithmic decision-making processes, including outcome of automatic decision-making and the right the design and training data used to develop the algo- to request human intervention. Consumers could have rithmic decision-making process and how the algorith- the right to request why automated decisions were made mic decision-making process was tested for accuracy, and to know the logic involved in the automatic process- fairness, bias, and discrimination; and ing of data concerning them. Providers could be required • Assesses whether the algorithmic decision-making to provide consumers with meaningful information “to system produces discriminatory results on the basis enable those adversely affected by an AI system to chal- of an individual’s or class of individuals’ actual or lenge its outcome based on plain and easy-to-understand perceived race, color, ethnicity, religion, national ori- information on the factors, and the logic that served as the gin, sex, gender, gender identity, sexual orientation, basis for the prediction, recommendation or decision.”388 familial status, biometric information, lawful source of The WBG/ICCR guidelines on credit scoring approaches income, or disability.381 suggest that “organizations should consider providing the data subjects with an avenue to request a review of Similarly, a draft bill before the US Congress (the Algo- decisions that were fully automated and a correction of rithmic Accountability Act)382 requires entities to conduct underlying inaccurate data (if this resulted in their credit impact assessments on high-risk automated decision score being impacted).”389 systems in order to evaluate the impact of the system’s design process and training data on accuracy, fairness, Consumers could also be given the right not to be bias, discrimination, privacy, and security. Supervisors can subject to a decision based solely on automated deci- also play a role in evaluating the use of algorithms by dig- sion-making. For example, the GDPR provides consum- ital credit providers. FinCoNet suggests that supervisors ers with the right “not to be subject to a decision based evaluate whether automated creditworthiness assessment solely on automated processing, including profiling, which based on big data and AI are leading to responsible lend- produces legal effects concerning him or her or similarly ing decisions.383 significantly affects him or her.”390 The G20 Task Force similarly states that providers using automated credit scor- At a minimum, consumers could be given a clear right ing models should provide for human intervention, where to know when they are subject to automated deci- appropriate, to mitigate against inappropriate outcomes sion-making that uses algorithms. The WBG/ICCR such as automatic refusals. 391 guidelines on credit scoring approaches recommend that consumers receive information on the data used GAPS IN THE REGULATORY 4.6  and the decisions made on the basis of a credit scoring method. “The focus should, however, not be on the direct PERIMETER or indirect disclosure of the algorithm, but rather on the a)  Risks to consumers rationale behind the credit risks decision.”384 In order to ensure fair and transparent processing, the European Most countries face gaps in regulatory authority or Union’s GDPR requires that data controllers provide con- coverage for certain digital credit products or provid- sumers with information on “the existence of automated ers. As noted in chapter 3, fintech products in general decision-making, including profiling, referred to in Arti- raise a range of issues related to regulatory gaps due to cle 22(1) and (4) and, at least in those cases, meaningful the novelty of the product as well as new types of pro- information about the logic involved, as well as the sig- viders. With respect to digital microcredit, a mix of reg- nificance and the envisaged consequences of such pro- ulated, semi-regulated, and unregulated providers often 68   Consumer Risks in Fintech offer similar products to similar consumer segments but exist in order to ensure coverage of non-bank digital operate under different legal requirements. A particular microcredit providers. For example, the broader powers challenge posed by digital microcredit is the small but of general consumer protection or competition authori- increasing numbers of app-based lenders that do not fall ties could be employed to introduce consumer protection under the authority of any regulatory body (and may even rules on specified elements of digital credit. An example be based outside the country). For example, research is the case of Kenya, where the CAK has issued rules on in Kenya shows that the usage of non-regulated digital disclosure for digital credit that apply for all providers, credit has grown from 0.6 percent in 2016 to 8.3 percent including those not regulated by financial sector authori- in 2019.392 Where consumer protection rules for credit ties.396 Another is the Philippines, where the data privacy do exist, they are often more developed for regulated, authority issued rules restricting use of mobile phone and deposit-taking institutions. Weaker rules (and quite often, social media data for debt collection purposes.397 Another weaker supervision) exist for non-bank lenders where reg- approach could be to introduce consumer protections via ulated, while unregulated lenders have no rules applied telecommunications authorities when MNOs and mobile to them. At the same time, research suggests that some channels are utilized or via mobile money regulation of the more irresponsible practices highlighted in this where digital credit models are linked to mobile wallets. chapter are more common among app-based lenders, While none of these approaches is necessarily ideal (and as evidenced by the significantly higher levels of non- may raise difficulties in ongoing monitoring and enforce- performing loans for app-based lenders compared to ment), they can at least be leveraged to make incremental other digital microcredit providers.393 In addition, some progress in putting in place protections for consumers. FCP frameworks explicitly do not apply to small value Where such approaches are employed, close coordina- loans. The result is an unlevel playing field and increased tion will be necessary between sectoral authorities.398 risks to consumers, as well as increased potential for fraud. Complementary measures could be pursued that go beyond regulation, including where regulation b)  Regulatory approaches may not be feasible for a variety of reasons, such as As noted in chapter 3, an activity-based framework encouraging industry standards or codes of conduct. should ideally be put in place for digital credit, ensur- In Kenya, the Digital Lenders Association of Kenya has ing comprehensive protection for consumers and a developed a code of conduct for digital lenders focused level playing field for the market. Regulating by activ- on consumer protection in an effort to address irrespon- ity rather than by institutional form would cover all mod- sible behaviors seen in the market.399 Similarly, the three els of digital credit, regardless of whether digital credit is fintech associations in Indonesia have developed a joint provided via banks, MNOs, non-bank lenders, or some code of conduct. However, it is estimated that only one- combination of these actors in partnership. Concerns third of digital lenders in Kenya are members of the regarding regulatory arbitrage would also be dimin- Digital Lenders Association of Kenya, and there may be ished. For example, all providers of consumer credit are issues with self-selection of membership by lenders who regulated in Australia and Portugal. However, such an are already more committed to responsible behavior. approach would require the licensing of all credit pro- While codes of conduct are not a substitute for regula- viders, which may represent a significant undertaking for tion, they can still be beneficial in establishing industry financial sector authorities.394 consensus regarding acceptable practices. In order to strengthen codes of conduct, policy makers can make Where app-based lenders are based overseas, cross- membership in associations mandatory and encourage border coordination between authorities will be nec- strong self-enforcement mechanisms.400 In some coun- essary, such as via sharing information, redirecting tries, codes of conduct also allow consumers to bring consumer complaints to competent authorities, and disputes to financial sector ombudsmen or to court. promoting consistent policy approaches.395 From a legal perspective, to support more effective regulation and To address the specific issue of app-based lenders, supervision of cross-border activity, it may also be neces- platform operators themselves may have a role to sary to apply a country’s FCP requirements (and regulators’ play in ensuring appropriate behavior (and/or banning mandates) to any fintech entities dealing with consumers in egregious practices). Given the important role that plat- that country, regardless of where the providers are based. forms now play in serving as an interface between con- sumers and hundreds of thousands of apps, the Federal Where an activity-based approach is not feasible, Trade Commission in the United States has suggested policy makers could be pragmatic and opportunistic, that platforms should play a role in promoting best prac- building off of what rules and regulatory powers do tices among app developers with respect to data pri- Digital Microcredit   69 vacy by requiring that platform operators make privacy fraud extend beyond the traditional discussion about FCP, disclosures, reasonably enforce these requirements, and as they do not relate to poor practices by providers but educate app developers.401 The same principles could involve outright fraud, such as soliciting application fees be extended to other topics specific to financial services or personal data without providing a loan. Such situations and digital credit. In August 2019, Google Play published should be addressed directly. In markets such as Kenya new policies on its Developer Policy Center aimed at pre- and Indonesia (and presumably others), there appears to venting predatory lending apps on its platform.402 Goo- be a high prevalence of fraudulent lending apps. When gle’s stated policies already banned apps from exposing removed from platforms, the same developers often users to “deceptive or harmful” financial services but now come back with new apps. National authorities should include further details specifying that apps for personal monitor such activities and work closely with platforms loans must disclose metrics such as APR and TCC, ban- to address them, preferably with longer-term solutions ning apps that promote short-term loans of less than 60 to ban fraudulent developers. For example, in Indonesia days, and banning apps in the United States that have an OJK is working directly with Google to request removal of APR higher than 36 percent (in accordance with US rules). unlicensed online lending apps from Google Play.404 In order to be effective, stronger enforcement of plat- New research suggests that ex-ante vetting of finance- form policies will be needed. While Google Play’s new related apps, ex-post monitoring, and demand-side policies on personal loan apps are potentially a useful step interventions can be beneficial.405 There appear to be forward, it is currently unclear to what extent such policies common red flags that can be observed regarding fraud- are being monitored and enforced. Many lending apps ulent app-based lenders, including a lack of valid e-mail on Google Play still appear not to abide by these new addresses or a provider website for app developers and policies.403 This may indicate that reliance on commer- similarities in the metadata for fraudulent apps (for exam- cial arrangements policed by platform operators alone is ple, icons, titles, descriptions). New requirements could be insufficient and that further regulatory action is needed. put in place to screen for such red flags before apps are Regulators may still need to work with platform operators approved for inclusion in app stores. In addition, closer in supervising and enforcing platform requirements. monitoring and reporting of data on mobile apps could be utilized to identify and take swifter action against fraud- Regulators will still need to work directly with plat- ulent apps. Demand-side efforts such as financial literacy forms to address fraudulent lending apps. Issues with and “buyer beware” labeling could also be beneficial. NOTES 253 Izaguirre, Mazer, and Graham, “Digital Credit Market Monitoring.” 254 Reynolds et al., “Review of Digital Credit Products.” 255 Kaffenberger and Chege, “Digital Credit in Kenya.” 256 Reynolds et al., “Review of Digital Credit Products.” 257 Blechman, “Mobile Credit,” and AFI. 2017. AFI, “Digitally Delivered Credit: Consumer Protection Issues.” 258 FSD Kenya, “Tech-Enabled Lending in Africa.” 259 Kaffenberger and Totolo, Digital Credit Revolution. 260 Kaffenberger and Totolo, Digital Credit Revolution. 261 MicroSave, “Making Digital Credit Truly Responsible.” 262 Izaguirre, Kaffenberger, and Mazer, “It’s Time.” 263 Kaffenberger and Totolo, Digital Credit Revolution. 264 Thirty one percent of respondents selected limited disclosure of costs as the main market conduct and consumer protection issue, followed by high costs of digital credit (14 percent), limited suitability and misleading advertising (14 percent), and data security and privacy (12 percent). See AFI, “Digitally Delivered Credit: Policy Guidance Note.” 265 Busara Center for Behavioral Economics, Pricing Transparency. 266 As APR can be somewhat misleading for very short-term credit, an alternative approach is to allow for the presentation of monthly APR. This approach was taken in the Philippines, where banks were allowed to express effective interest rate (EIR) as a monthly rate for loans with contractual interest rates stated on a monthly basis. See Circular No. 730 of July 2011. 267 EC, Behavioral Study on Digitalisation. 268 Mazer, Vancel, and Keyman, “Finding ‘Win-Win.’” 269 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 270 BdP Circular Letter No. CC/2018/00000004 on best practices applicable to the selling of retail banking products and services through digital channels. 70   Consumer Risks in Fintech 271 FinCoNet, Guidance to Supervisors on Digitalisation. 272 Guidelines on Advertising Financial Services, Bank of Lithuania, 2012. 273 Based on World Bank phone conversation with digital credit provider. 274 ASIC, Facilitating Digital Financial Services Disclosures. 275 Busara Center for Behavioral Economics, Pricing Transparency. 276 ITU-T Focus Group on Digital Financial Services, Main Recommendations. 277 OECD, Short-Term Consumer Credit. 278 https://www.fca.org.uk/publications/discussion-papers/smarter-consumer-communications-further-step-journey. 279 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 280 EC, Behavioral Study on Digitalisation. 281 Busara Center for Behavioral Economics, Pricing Transparency. 282 FCA, Feedback Statement FS16/10. 283 The Smart Campaign, “Standards of Protection.” 284 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 285 FCA, Feedback Statement FS16/10. 286 ASIC, Facilitating Digital Financial Services Disclosures. 287 ITU-T Focus Group on Digital Financial Services, Main Recommendations. 288 Based on World Bank conversation with Competition Authority of Kenya. The guidelines apply to financial services conducted through SIM cards, USSD, and apps. 289 Mazer, “Does Transparency Matter.” 290 Mazer, Vancel, and Keyman, “Finding ‘Win-Win.’” 291 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 292 Mazer, Vancel, and Keyman, “Finding ‘Win-Win.’” Subsequent to this study, the digital credit provider in the study has since integrated research insights into its new USSD menus, including (1) separating finance charges from principal, (2) adding a line showing loan fees as a percentage, (3) adding a separate screen with late payment penalties, and (4) creating active choice to view terms and conditions. 293 The Smart Campaign, “Standards of Protection.” 294 FCA, Message Received? 295 “Of the 21 products with clear information, 16 products had a warning system in place to remind borrowers about repaying their loans or about imminent default. Most of the time these reminders were sent via SMS, email, or app notification, either on the payment due date or up to seven days prior… Forty-seven products had no clear indication that any warnings were sent to the borrower, and five products did not send out notifications at all.” See Reynolds et al., “Review of Digital Credit Products.” 296 The Smart Campaign, “Standards of Protection.” 297 ASIC, Facilitating Digital Financial Services Disclosures. 298 For further information, see McKee et al., “Doing Digital Finance Right,” and Chen, Fiorillo, and Hanouch, “Smartphones & Mobile Money.” 299 G20/OECD Task Force on Financial Consumer Protection, Financial Consumer Protection Policy Approaches. 300 For example, see FCA’s review of practices for high-cost credit at https://www.fca.org.uk/firms/high-cost-credit-consumer-credit/ high-cost-credit-review. 301 Central Bank of Kenya, 2016 FinAccess Household Survey. 302 Mazer and McKee, “Consumer Protection in Digital Credit.” 303 The study found that 20 percent of consumers who had taken out credit were actively prompted by the digital application system to indicate a higher income. See FinCoNet, Report on Digitalisation. 304 FinCoNet, Report on Digitalisation. 305 EC, Behavioral Study on Digitalisation. 306 OECD, Recommendation of the Council on Consumer Protection. 307 EC, Behavioral Study on Digitalisation. 308 FinCoNet, Guidance to Supervisors on Digitalisation. 309 All examples from OECD, Short-Term Consumer Credit. 310 FinCoNet, Guidance to Supervisors on Digitalisation. 311 The Smart Campaign, “Standards of Protection.” 312 Consumer Rights Protection Law (Latvia), art. 2.1. 313 Consumer Credit Act 1991 (Belgium), art. 6. 314 Committee of Advertising Practice, “Trivialisation in Short-Term High-Cost Credit Advertisements.” 315 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 316 EC, Behavioral Study on Digitalisation. 317 FinCoNet, Guidance to Supervisors on Digitalisation. 318 Circular SB. SG. No. 00065/2015. 319 For example, the EU Consumer Rights Directive (Directive 2011/83/EU) provides a 14-day cooling-off period for purchases made online or through other types of distance selling. Digital Microcredit   71 320 FinCoNet, Guidance to Supervisors on Digitalisation. 321 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 322 Directive 2002/65/EC on distance marketing of consumer financial services. 323 See section 3.1 for further discussion on the limitations of the consent-based approach with respect to data privacy, which has similar relevance here. 324 For further information, see FinCoNet, Guidance to Supervisors on Setting of Standards. 325 EC, Behavioral Study on Digitalisation. 326 Unfair lending can encompass a range of potential issues. This section focuses on issues related to predatory pricing, irrespon- sible lending, and abusive collections. Discrimination due to the use of algorithmic scoring is discussed separately in section 4.5, given the more cutting-edge nature of the topic and its broader applicability (within and beyond the financial sector). 327 AFI, “Digitally Delivered Credit: Consumer Protection Issues.” 328 Kaffenberger and Chege, “Digital Credit in Kenya.” 329 The fair lending risks that arise from algorithmic scoring are discussed separately in section 4.5. 330 AFI, “Digitally Delivered Credit: Consumer Protection Issues.” Similarly, research in Tanzania showed that first-time borrowers of digital microloans had the highest default rate, nearly 40 percent. See Izaguirre and Mazer, “How Regulators Can Foster.” 331 Reynolds et al., “Review of Digital Credit Products.” 332 Guzman, “SEC to Shut Down Eight More Online Lending Apps.” 333 OECD, Recommendation of the Council on Consumer Protection. 334 OECD, Recommendation of the Council on Consumer Protection. 335 Consumer Credit Act. More broadly, the EU Consumer Credit Directive (Directive 2008/48/EC) requires that creditors assess a consumer’s creditworthiness before the conclusion of a credit agreement. Details on how member states have implemented this requirement can be found at https://ec.europa.eu/info/sites/info/files/mapping_national_approaches_creditworthiness_as- sessment.pdf. 336 National Credit Act 2005 (South Africa), Part D. 337 Money Lending Business Act 1983 (Japan), art. 13-2. 338 National Consumer Credit Protection Act 2009 (Cth) (Australia), s. 28S. This cap applies to consumers who receive at least 50 percent of their gross income as payments under the Social Security Act 1991 (Cth) (Australia). 339 Notice of Banco de Portugal No. 4/2017 (Portugal). 340 EBA, Final Report on Guidelines. 341 EBA, Final Report on Guidelines, s. 4.3.3 (53). 342 FinCoNet, Guidance to Supervisors on Digitalisation. 343 For example, Australian product design and distribution governance rules originally were not envisaged to apply to credit products on the basis that existing requirements under credit legislation, such as responsible lending obligations, were suffi- cient to address relevant consumer issues. However, this position was subsequently reversed. See Boeddu and Grady, Product Design and Distribution and Corporations Amendment (Design and Distribution Obligations) Regulations 2019 (Australia). 344 EBA, Second EBA Report. 345 McKee et al., “Doing Digital Finance Right.” 346 FinCoNet, Guidance to Supervisors on Digitalisation. 347 AFI, “Digitally Delivered Credit: Consumer Protection Issues.” 348 In this business model, a short-term credit provider and its associate charged separate fees under separate contracts, thereby avoiding existing caps on fees. The combined fees added up to almost 1,000 percent of the loan amount. See ASIC Corpora- tions (Product Intervention Order—Short Term Credit) Instrument 2019/917. 349 For example, the Smart Campaign’s Standards of Protection for Digital Credit recommends that provider’s fees are reason- able (for example, penalty, prepayment, other fees); that there is a reasonable limit when loan interest and/or fees (including arrears interest) stops accruing that is proportionate to loan tenure; that arrears interest/fees and penalties do not compound debt and are calculated based on principal amount only; and that due diligence is conducted on pricing of third-party part- ners whose charges or fees impact clients (for example, for payment and/or cash-in or cash-out services). 350 Detailed rules for the price cap on high-cost, short-term credit, including feedback on CP14/10 and final rules. Policy State- ment PS14/16. Financial Conduct Authority, November 2014 https://www.fca.org.uk/publication/policy/ps14-16.pdf. 351 FCA Consumer Credit Sourcebook—November 2020 (UK), 6.7.23R. 352 Regulations on Review of Limitations on Fees and Interest Rates. Department of Trade and Industry, November 2015. 353 S. 31A(1A), National Consumer Credit Protection Act 2009. 354 ITU-T Focus Group on Digital Financial Services, Main Recommendations. 355 For example, see EFIN Working Group on Over-Indebtedness, Indicators to Monitor Over-Indebtedness. 356 NPC Circular No. 20-01 on Guidelines on the Processing of Personal Data for Loan-Related Transactions. 357 While precise definitions vary, on a conceptual basis, algorithms are a set of step-by-step instructions that computers follow to perform a task. Machine learning is a set of techniques and algorithms where multiple data sets, or training data, are used to train a program to recognize patterns in a set of data automatically. Artificial intelligence and automated decision systems are powered by algorithms and machine learning. See Lee et al., “Algorithmic Bias Detection.” See also AI Now Institute, “Algorithmic Accountability Policy Toolkit.” 358 Complex algorithmic processing is increasingly being used in multiple fintech applications (including P2P, insurtech, robo-ad- vice, and so on), as well as in many circumstances far beyond the financial sector. This section focuses on risks arising from the use of algorithmic scoring for digital credit. Regulatory approaches to mitigate such risks are drawn from credit-related examples where possible, as well as more general examples. 72   Consumer Risks in Fintech 359 For discussion on the data privacy risks for consumers related to use of alternative data and potential measures to address such risks, see section 3.1. 360 AI Now Institute, “Algorithmic Accountability Policy Toolkit.” 361 World Bank Group and International Committee on Credit Reporting, Credit Scoring Approaches Guidelines. 362 World Bank Group and International Committee on Credit Reporting, Credit Scoring Approaches Guidelines. 363 Hong Kong Monetary Authority, Consumer Protection. 364 GPFI, Data Protection and Privacy. 365 World Bank Group and International Committee on Credit Reporting, Credit Scoring Approaches Guidelines. 366 Hong Kong Monetary Authority, Consumer Protection. 367 Caplan et al., Algorithmic Accountability. 368 https://www.fatml.org/resources/principles-for-accountable-algorithms. 369 OECD, Financial Consumer Protection Policy Approaches. 370 Hong Kong Monetary Authority, Consumer Protection. 371 EBA, Final Report on Guidelines. 372 World Bank Group and International Committee on Credit Reporting, Credit Scoring Approaches Guidelines. 373 Error analysis involves manual review, variance analysis (analyzing discrepancies between actual and planned behavior), and bias analysis. Bias analysis provides quantitative estimates of when, where, and why systematic errors occur, as well as scope of errors. See New and Castro, “How Policymakers Can Foster.” 374 For further examples, see “Trustworthy AI Assessment List” in High-Level Expert Group on Artificial Intelligence, Ethics Guide- lines for Trustworthy AI. See also “Template of Bias Impact Statement” in Lee et al., “Algorithmic Bias Detection.” 375 EBA, Final Report on Guidelines. 376 EBA, Final Report on Guidelines. 377 European Central Bank, Guide to Assessments. 378 The Smart Campaign, “Standards of Protection.” 379 The intensity of policy approaches to algorithmic accountability should vary depending on the potential severity of consumer harm arising from particular uses of algorithms. For deployments of algorithms deemed lower risk, alternatives to more inten- sive impact assessments include third-party certification of algorithmic systems or a no-fault/strict liability regime to algorith- mic decisions. See further discussion in European Parliamentary Research Service, A Governance Framework. 380 See G20/OECD Task Force on Financial Consumer Protection, Effective Approaches. See also Lee et al., “Algorithmic Bias Detection.” 381 Bill on Consumer Online Privacy Rights Act, 116th Congress (December 2019), s. 2968. 382 Bill on Algorithmic Accountability Act, H.R. 2231, 116th Congress (April 2019), s. 1108. 383 FinCoNet, Guidance to Supervisors on Digitalisation. 384 World Bank Group and International Committee on Credit Reporting, Credit Scoring Approaches Guidelines. 385 GDPR, art. 13. 386 GPFI, Data Protection and Privacy. 387 BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 388 OECD, Recommendation of the Council on Artificial Intelligence. 389 World Bank Group and International Committee on Credit Reporting, Credit Scoring Approaches Guidelines. 390 GDPR, art. 22. 391 OECD, Financial Consumer Protection Policy Approaches. 392 FSD Kenya, Digital Credit Audit Report. 393 In Kenya, the rate of non-performing loans for digital loans from MNO-led banks and banks was 6 percent and 21 percent, respectively, while the rate for digital loans from app-based lenders was 29 percent. See MicroSave, “Where Credit Is Due.” 394 An alternative approach would be to register at least all credit providers, as opposed to a full licensing regime. 395 G20/OECD Task Force on Financial Consumer Protection, Effective Approaches. 396 Based on World Bank conversation with Competition Authority of Kenya. The guidelines apply to financial services conducted through SIM cards, USSD, and apps. 397 NPC Circular No. 20-01 on Guidelines on the Processing of Personal Data for Loan-Related Transactions. 398 For example, in Tanzania, digital credit models may fall under the regulatory scope of the Ministry of Industries and Trade or the Bank of Tanzania. The Fair Competition Commission has been collaborating with both authorities via a memorandum of understanding in order to address financial consumer protection issues in the market. 399 https://www.dlak.co.ke/dlak-code-of-conduct.html. 400 For examples of good practices to strengthen the enforcement of codes of conduct, see Australian Competition and Consum- er Commission, Guidelines for Developing Effective Voluntary Industry Codes of Conduct. 401 FTC, Mobile Privacy Disclosures. 402 https://play.google.com/about/restricted-content/financial-services/. 403 CGTN Africa, “Google Fails to Stamp Out Short-Term Payday Lending Apps.” 404 Based on World Bank communication with OJK. 405 https://www.centerforfinancialinclusion.org/combating-the-rise-in-fraudulent-fintech-apps. PEER-TO-PEER LENDING 5 PEER-TO-PEER LENDING 5.1 INTRODUCTION The overarching idea of P2PL platforms has been described as providing an online market that allows Peer-to-peer lending is often described as one of the lenders to trade directly with borrowers.413 However, most significant developments in fintech, although its many models have developed in the market that go sig- basic elements are not new. From a lending product nificantly beyond a pure matching model where prospec- perspective, consumer P2P loans are typically unsecured, tive lenders can select prospective loans directly based on amortizing loans, very similar to personal installment loans information provided to them.414 In this chapter, P2PL is provided by traditional lenders such as banks and finance used to refer to the provision of credit facilitated by online companies.406 From an investment perspective, the con- platforms that match borrowers with lenders, encompass- cept of investing in loans made by another lender also is ing a spectrum not new, given the range of arrangements—such as loan • from platforms that facilitate consumers acting as securitization—that have allowed third-party investment direct lenders for individual loans to other consumers; long before P2PL developed. • through to platforms that allow consumers to invest in The key innovation represented by P2PL and facilitated individual consumer loans or in pools or portfolios of by technology—specifically by online platforms—has loans indirectly, in a variety of ways that expose them been to give prospective borrowers, particularly con- to credit risk without being the lender of record. sumer borrowers, access to potential lenders that they did not have before. As a result, it can offer alternative As discussed later in the chapter, in some jurisdic- sources of funding for consumers to more traditional tions legislation now restricts P2PL activities to, or has channels. Similarly, from a lender/investor perspective, caused them to converge around, only some models. and particularly from a consumer investor perspective, it It has also been the case that in some jurisdictions P2PL has given consumers access to investment opportunities platforms have increasingly been backed by institutional in loans that they formerly did not have.407 lenders (to at least some extent thus moving away from the “peer-to-peer” element). a)  What is meant by peer-to-peer lending? P2PL platforms offer various services for the purposes As with the concept of fintech, there is no single, widely of matching lenders/investors with loan requests and accepted definition of the concept of P2PL. Even the concluding loan contracts. These can include, depend- term peer-to-peer lending is not consistently preferred ing on the model, activities such as collecting and pre- internationally. Terms such as marketplace lending,408 senting applicant information, assessing loan applications, loan-based crowdfunding,409 crowdlending,410 and social providing the contractual framework and mechanisms for lending411 and, occasionally, combinations of these412 are entering into loan contracts, and setting loan pricing and also used frequently. selection. They also typically undertake loan-servicing 74 Peer-to-Peer Lending    75 activities, such as collecting lenders/investors’ funds for Importance of effective financial consumer b)  disbursement to borrowers, collecting repayments from protection for P2PL borrowers to be repaid to lenders/investors, and deal- ing with loan defaults. Where a platform comprises more P2PL grew rapidly internationally, and in recent years complex aspects, such as allowing investment in loan lending volumes, while still representing a fraction pools or portfolios, platform operators are typically also of global consumer lending, have been significant. In responsible for more complex loan selection, allocation, 2018, consumer P2PL represented the largest online alter- and pricing activities. native finance model by market segmentation, facilitating $195.29 billion in lending transactions volume, or 64 per- Characteristics of P2PL platforms vary significantly cent of the total global volume for the alternative finance internationally and even within individual markets. industry.416 China, for example, saw a rapid expansion In the United Kingdom the FCA, for example, recently of its P2PL market from 2013, which at its peak report- sought to group platforms into three general categories: edly comprised around 6,000 platforms.417 P2PL in China “conduit platforms” (where the lender/investor selects the attracted significant numbers of ordinary investors report- loans they wish to invest in); “pricing platforms” (where edly due to such factors as tightening of bank lending, a the platform sets the price, but the lender/investor selects growing perception of P2PL as a good investment oppor- the loans); and “discretionary platforms” (where the plat- tunity, and, notably, a then lack of regulatory require- form sets the price and chooses the lender/investor’s port- ments and oversight.418 Chinese investors were perceived folio to generate a target rate). However, the FCA also to have been attracted by P2PL as they had very limited noted that these platform types were neither exclusive investment options.419 Although pre-COVID-19 fintech nor exhaustive and that even single platforms could oper- credit volumes (comprising P2PL consumer lending, ate in multiple ways.415 among other platform-based lending) were found to have declined in China and to have plateaued in the United In some P2PL models, individual “lenders” invest in spe- States and United Kingdom, they were continuing to grow cific loans through a platform operator or associated in a range of other jurisdictions, and fintech lenders were entity that in turn is the actual lender to the individual becoming economically significant lenders for specific borrower. While such individual “lenders” are exposed segments, such as small and medium-sized enterprises.420 to the credit risk of relevant loans, their role is strictly as investors in an interposed instrument or arrangement, The growth of P2PL has also seen major platform col- such as a security or collective investment scheme. At a lapses and other concerning incidents in a variety of less technical level, it is often the case that even in plat- jurisdictions, highlighting the importance of identifying form models where individuals are lending directly, such and addressing new and increased risks for consumers, lending is perceived as a form of “investment.” There- whether as lenders/investors or borrowers. Some of fore, in this chapter the combined term lender/investor is these developments—and their adverse impacts on con- generally used to refer to consumers (typically individuals) sumers—have been widely reported in the media. They under either circumstance. have also triggered significant regulatory responses in many jurisdictions. It is thus unsurprising that in a recent Given the variety in platform offerings and business survey of regulators, fraud was ranked as the top risk in models, there can be overlap between the concepts connection with P2PL.421 The peak of P2PL in China was of P2PL and investment-based crowdfunding discussed followed by a number of significant platform collapses in the next chapter. Platforms may potentially fall within and incidents of fraud and misconduct involving platform both categories. P2PL as discussed in this chapter is operators. One of the highest-profile incidents of fraud generally concerned with the provision of ordinary loans involved a platform ultimately found to be a Ponzi scheme (secured or otherwise) to finance recipients, rather than (most of its loan listings were fraudulent), causing almost facilitation of investments in debt securities issued by 900,000 individual lenders/investors to lose the equiva- finance recipients. lent of $7.6 billion.422 This was by no means an isolated incident.423 Extensive platform failures resulted in major Entities responsible for operating P2PL platforms, or financial losses for many consumers. Many lost their sav- key aspects of such platforms, are referred to in the ings as a result; severe financial and personal impacts were chapter as P2PL operators. Although a single entity fre- reported in the media.424 Following significant reforms by quently has operational and legal control over a platform, regulators (which, as discussed later in the chapter, some some P2PL arrangements comprise different entities commentators now argue may have gone too far), the operating key aspects of the arrangement or providing number of P2PL platforms in China reportedly recently key services to consumers. dropped to as few as 29 from a peak of about 6,000.425 76   Consumer Risks in Fintech The United Kingdom’s P2PL market has also seen a Risks for consumers as lenders/investors or as c)  significant toughening of regulations, following a run borrowers of high-profile problems and continuing concerns. The Some of the consumer risks identified in this chapter market experienced various platform collapses and other affect both lenders/investors and borrowers, while problems affecting platform performance, with corre- others are unique to one of these cohorts. The chapter sponding losses, said to be due to factors such as a lack therefore first discusses risks common to consumers that of credit expertise of some participants.426 As a result, the are lenders/investors or borrowers and corresponding British regulator’s attitude has toughened toward P2PL. In regulatory approaches. Risks specific to investors/lenders 2013, when developing its initial framework for P2PL reg- or to borrowers are then discussed next. ulation, the FCA expressed the view that P2PL was a less risky proposition for consumers than investment-based Many of the risks discussed in this chapter are not new crowdfunding.427 However, its views have since hardened, in nature—what is new, or different from a traditional and it recently highlighted how the complexities of P2PL lending and investment context, are the ways they drove a need for measures such as sophisticated risk man- transpire or are heightened in a P2PL context. As is the agement and controls.428 case with the basic elements of P2PL discussed above, the basic elements of many of the risks discussed in the chap- From a borrower’s perspective, there have been ter can also arise in connection with more long-standing media reports in Indonesia of deeply concerning inci- lending and investment offerings. However, the impact dents affecting individuals who have borrowed from and extent of these risks is affected by factors such as unlicensed P2P lenders, and the COVID-19 crisis may the nature and extent of reliance on technology, the have worsened these impacts. The incidents include unfamiliarity and complexity of P2PL business models for instances of harsh debt collection practices, even driv- consumers, and the expanded access to unfamiliar invest- ing borrowers to take their own life, although such prob- ment opportunities facilitated by P2PL platforms. lems are not confined to P2PL but extend to unregulated online lending more broadly.429 Recent reports in the context of the COVID-19 crisis indicate that P2P lend- Summary of consumer risks and regulatory d)  ers/investors are being adversely affected by potentially approaches discussed in this chapter risky loans, as are borrowers that obtained such loans but Table 4 summarizes the new manifestations of con- are now struggling to have lenders/investors agree to sumer risks and corresponding regulatory approaches restructure them.430 discussed in this chapter. TABLE 4: Consumer Risks and Regulatory Approaches: Peer-to-Peer Lending RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE Risks for both lenders/investors and borrowers Gaps in regulatory perimeter: P2PL is not ade- • Apply FCP requirements on an activities basis (lending and investment- 78 quately covered by a country’s FCP regime, and related services), rather than by institution type borrowers and lenders/investors receive even less • Extend existing FCP requirements to P2PL, and, where necessary, protection than applies to traditional lending introduce additional FCP rules for P2PL • Issue regulatory guidance to address uncertainty regarding the application of existing FCP requirements to P2PL (Also, see approaches for addressing cross-border risks summarized above in the context of digital microcredit) Fraud or other misconduct: Fraud or other • Impose licensing/registration and vetting and competence 81 misconduct by P2PL platform operators, related requirements on operators and related parties parties, or third parties • Require operators to have in place adequate risk management and governance arrangements • Require operators to segregate consumers’ funds and deal with them only in prescribed ways • Consider compensation funds (Also, see below for approaches to address platform/technology vulnerability risks that may facilitate fraud) Peer-to-Peer Lending   77 TABLE 4, continued RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE Platform/technology unreliability or vulnerability: • Require operators to have in place adequate risk management and 82 Platform/technology unreliability or vulnerability that governance arrangements causes or facilitates loss, inconvenience, or other • Require operators to comply with targeted risk management and harms operational reliability requirements, including for technology-related risks and outsourcing • Impose specific competence requirements on operators in relation to matters such as information technology-related risk Business failure or insolvency: Business failure • Require operators to segregate consumers’ funds, hold them with an 83 or insolvency of operator causing loss, such as of appropriately regulated entity, and deal with them only in prescribed lenders/investors’ capital or future income on loans or ways borrowers’ committed loan funds or repayments • Require operators to have in place business continuity and hand-over/ resolution arrangements • Require operators to comply with recordkeeping requirements to support business continuity arrangements • Impose vetting and competence requirements on operators and related parties Inadequate credit assessments: Inadequate credit • Impose creditworthiness assessment requirements on operators 85 assessments, increasing the risk of losses from bor- regardless of whether they are the lender of record rower defaults for lenders/investors and over-indebt- edness for borrowers Conflicts of interest: Conflicts of interest between • Impose general conflict-mitigation obligations on operators 86 platform operators (or their related parties) and • Require operators to comply with duties to act in consumers’ best lenders/investors or borrowers, leading operators interests and related parties to engage in conduct not in the • Require operators to meet obligations regarding fair loan pricing and interests of their consumers: fees and charges-setting policies consistent with consumers’ interests • Conflicts of interest leading to imprudent lending • Place restrictions or prohibitions on operators or their associates assessments by operators investing in loans facilitated by their platforms • Conflicts of interest leading to unfair or • Impose creditworthiness assessment requirements on operators inappropriate loan pricing regardless of whether they are the lender of record • Conflicts of interest from intra-platform arrangements, causing operators to engage in conduct favoring related parties over consumers Additional risks for lenders/investors Inadequate investment-related information: 88 Lenders/investors are not provided with adequate investment-related information, including: • Inadequate up-front information when considering • Require platform operators to provide/make available to consumers or making investments/loans ahead of any transaction information highlighting key matters relating to P2PL, such as expected risks, factors affecting returns, and restrictions on early exit • Require platform operators to provide key precontractual information about individual loans to prospective lenders/investors in business models allowing individual loan selection • Mandate warnings or disclaimers in key contexts to highlight risks for consumers and assist in balancing out inappropriately optimistic perceptions • Information being provided in an inadequate • Require platform operators to give key information appropriate format prominence on electronic channels • Require key information to be provided in a standardized format to assist clarity and comparability (Also, see approaches for risks from digital disclosure summarized above in the context of digital microcredit) 78   Consumer Risks in Fintech TABLE 4, continued RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE Additional risks for lenders/investors • Unbalanced or misleading marketing regarding • Require platform operators to comply with general prohibitions against P2PL investment/lending opportunities providing misleading information (and, when necessary, clarify via more specific regulatory guidance the application of such prohibitions to marketing of P2PL opportunities) • Impose targeted restrictions on specific P2PL circumstances presenting higher risk of misleading investors • Inadequate ongoing information about the • Require platform operators to provide ongoing information to lenders/ performance and status of lenders/investors’ investors at prescribed times or frequencies regarding matters investments/loans affecting their investments/loans specifically, such as defaults, changes to borrowers’ circumstances, and so on, or more generally, such as performance of the operator and adverse events Harm due to lenders’/investors’ lack of sophistica- • Impose lending/investment caps on less sophisticated or more 94 tion or inexperience: Such as taking on risk of loss vulnerable lenders/investors (jurisdictions have done so on a variety of they cannot afford or do not understand bases) • Impose caps on the amount that individual borrowers may borrow through P2PL platforms as another way to reduce risk of loss to lenders/investors • Consider compensation funds Borrower fraud: Loss for lenders/investors due to • Require platform operators to comply with risk management 97 borrower fraud requirements referred to above, as well as targeted requirements, such as to obtain appropriate identification information and implement measures against fraudulent access to their platform (know your customer requirements under AML/CFT laws would also be relevant) • Impose creditworthiness assessment requirements on platform operators regardless of whether they are the lender of record Additional risks for borrowers Inadequate loan-related information • Extend application of existing traditional credit-disclosure requirements 97 to platform operators even when they are not the lender of record • Address gaps in existing borrower-disclosure regimes by developing requirements specific to P2PL (Also, see approaches for risks relating to credit disclosure summarized above in the context of digital microcredit) Risks from digital distribution of P2PL credit: Risks See approaches summarized above in the context of digital microcredit 98 arising from digital distribution of credit summarized above in the context of digital microcredit can also affect digital distribution of P2P loans to borrowers CONSUMER RISKS FOR BOTH 5.2  by existing regulation. For example in 2014 the Central LENDERS/INVESTORS AND Bank of Ireland felt compelled to warn consumers that crowdfunding, including P2PL, was not a regulated activ- BORROWERS ity in Ireland and therefore complaints about it could not a)  Gaps in regulatory perimeter be made to the Financial Services Ombudsman.431 Risks to consumers Some jurisdictions regulate traditional lending and Although the core elements of lending and investing investment activities under separate frameworks. How- on which P2PL is based are not new, novel aspects of ever, in a P2PL context, gaps in the coverage of lend- P2PL platform arrangements and business models can ing regulation, not just investment protection, can harm mean that they sit outside a country’s existing FCP individual lenders/investors as well as borrowers. For regulatory perimeter. As a result, consumers may be example, the key obligation (discussed later in the chap- exposed to risks even if these would already be addressed ter), typically imposed on traditional lenders under FCP Peer-to-Peer Lending   79 frameworks, to undertake creditworthiness assessments when borrowing from a traditional lender. In the context on prospective borrowers can protect individual lenders/ of home lending, the FCA expressed concern regarding investors’ interests, as well as those of borrowers. a potential regulatory gap in its market. It noted that if P2PL platforms offered home loans in the United King- Gaps in regulatory coverage of credit activities under- dom using business models where the platform merely taken through P2PL platforms can frequently arise facilitated the finance, this could mean that nobody when a regime regulates certain conduct, such as had responsibility from an FCP perspective. This meant lending, only if undertaken by particular types of insti- that a home-finance consumer using a P2PL platform tutions—such as banks or licensed non-bank financial may not receive the same level of consumer protection institutions. This is sometimes referred to as institu- that they would when dealing with an authorized home tion-based regulation, to be contrasted with activity- lender.434 based regulation. While consumer P2P loans may be very similar to personal installment loans provided by From an investment regulation perspective, P2PL traditional lenders such as banks and finance compa- operators may provide a range of services for indi- nies, they may not be regulated because of the nature vidual lenders/investors of a nature that functionally of the lender. ought to be already covered by typical investment requirements.435 Depending on the business model In a P2PL context, however, gaps can also arise in adopted, they may be providing an investment service, regimes that adopt activity-based approaches. This such as acting as an intermediary, operating a collective depends on the nature and description of the regulated investment scheme, or issuing securities. If undertaking activities when using such an approach. For example, loan-related assessments, they may be providing a form in some P2PL business models, platform operators may of financial advice to their lenders/investors. Managing not be undertaking the core lending activity on which ongoing fulfilment by borrowers of their obligations on regulation frequently focuses—namely, being the legal behalf of lenders/investors may involve providing ser- lender—but they nevertheless control many important vices under a principal and agent relationship with the aspects of that activity, as well as being best placed to lender/investor. They may also provide account man- comply with relevant requirements. agement–related financial services and custody services. However, the novelty of P2PL arrangements at times By way of illustration, the EBA pointed out that the has seemed to generate uncertainty regarding whether European Directive on Consumer Credit (which man- and how P2PL-related investment services are subject to dates a range of consumer protection requirements existing investor protection laws. In other instances, the for consumer lenders) was unlikely to apply to a nature of P2PL offerings meant that they may not have fit P2PL platform operator that was not itself acting as readily within existing investment regulation. the lender but, rather, was intermediating lending by individuals. The Directive applied to a creditor defined Regulatory approaches as a “person who grants or promises to grant credit in the course of his trade, business or profession.” This Take an activity-based approach to FCP regulation would be inapplicable to a platform operator operating Applying FCP requirements by activity, rather than under a business model where they are not the lender entity, type can assist in ensuring that P2PL platform of record. The EBA also noted that the Directive was operators are covered, particularly if reflecting con- unlikely to apply to individuals lending through such a cepts that are sufficiently broad and flexible to cover platform unless they were in fact undertaking a lending new and developing business models and entity roles. business, rather than investing for personal purposes.432 Some jurisdictions have found that broad concepts in In any case, from a practical perspective, they would be existing legislation, such as relating to lending or invest- unlikely to be able to comply with relevant FCP require- ment activities, were effective in automatically extending ments. Similarly, the European Commission noted that regulation to new fintech offerings. For example, Aus- the fact that a platform may be carrying out activities tralia’s National Consumer Credit Protection Act already normally undertaken by creditors, such as creditworthi- applied to any “credit activities” involving consumers ness assessments and debt collection, may not matter carried out as part of a business, which included not only in terms of attracting regulatory obligations if they were the provision of credit but also a range of credit-related not the credit provider.433 Without appropriate modifi- assistance to consumers or acting as an intermediary cation of domestic legislation based on the Directive, between a lender and a consumer.436 A P2PL operator consumers would not receive the same level of protec- acting as a lender to consumers would therefore be sub- tion when borrowing from a P2P lender as they would ject to the legislation, but so would an operator that acts 80   Consumer Risks in Fintech as an intermediary between individuals lending directly Establish separate regulatory framework and their consumer borrowers or assists borrowers to Authorities in some jurisdictions have recently intro- apply for such credit. On the other hand, individual duced new, separate regulatory frameworks to cover lenders/investors would not be subject to the legislation varied aspects of P2PL or both P2PL and invest- unless they are engaging lending as part of a business, ment-based crowdfunding.447 The introduction of a sep- which would usually not be the case. The Corporations arate framework may be undertaken for various reasons, Act similarly applies to the provision of a range of “finan- such as an absence of sufficient existing regulation or cial services,” including, relevantly to the investment preferring not to adapt or extend existing regulation for side of P2PL platforms, dealing in or providing advice the sake of expediency or to avoid implementation diffi- in connection with managed investment schemes.437 In culties. In China in 2015, the People’s Bank of China and Japan, where the typical P2PL model involves the opera- nine other government bodies jointly introduced a new tor providing credit on behalf of investors,438 businesses framework by issuing “Guiding Opinions on Promoting offering P2PL services have similarly been expected to the Healthy Development of Internet Finance,” covering register as moneylenders under the Money Lending (among other things) P2PL.448 Interim Measures for the Business Act,439 as they are legally considered money Administration of the Business Activities of Online Lend- lending businesses.440 ing Intermediary Institutions were subsequently issued in 2016 by the China Banking Regulatory Commission Some authorities have considered it necessary to intro- (CBRC)—now known as the China Banking and Insur- duce brand new concepts into legislation to capture ance Regulatory Commission (CBIRC)—with several other P2PL activities adequately. For example, in the United authorities, to set out a regulatory perimeter of permitted, Kingdom, existing rules were amended441 to cover the and prohibited, activities for P2PL operators (referred to activity of “operating an electronic system in relation to as P2PL information intermediaries).449 The P2PL models lending.”442 now permitted in China are limited to matching lenders/ investors and loans for the purposes of direct lending.450 It is important to ensure that activity-based regula- The Korean authorities also recently passed a new law, tory coverage is not indiscriminate and imposes FCP the Online Investment-Linked Finance and Protection of requirements to the entity that can most appropriately Users Act, that will require entities intending to engage in deal with them. Thus, for example, it has been suggested P2PL to register with the Financial Services Commission of that in South Africa, P2PL may have initially been regu- Korea and be a joint stock company.451 Peru has similarly lated too strictly by requiring individuals who lend directly recently introduced new rules targeting P2PL and crowd- through platforms (rather than the operator being the funding.452 lender) to be registered with the National Credit Regula- tor and comply with related requirements, as opposed to Hybrid approaches focusing requirements on platform operators.443 Some jurisdictions have adopted a hybrid approach, bringing P2PL within some existing frameworks—such Extend existing regulatory framework as licensing frameworks—while developing separate Some jurisdictions have sought to extend the coverage sets of conduct rules. In 2018, Mexico, which already of existing regulation to new P2PL business models. had a range of FCP legislation applying to traditional In the United Kingdom, a P2PL operator, even if merely FSPs, introduced a new overarching Financial Technology intermediating loans without acting as the lender, is sub- Institutions Law453 to cover a range of fintech areas. These ject to key FCP requirements equivalent to those apply- include crowdfunding entities, and one of the specified ing to traditional lenders. This is also reflective of the fact categories is debt crowdfunding.454 Authorities can issue that a platform operator is likely to be in a better practical FCP requirements under this Law as may be considered position to discharge compliance obligations than an indi- necessary. However, once regulated, P2PL operators also vidual who, technically, may be the lender.444 In Brazil, the become subject to existing FCP requirements applicable National Monetary Council issued a resolution prescrib- to other financial institutions, such as the Law on Transpar- ing P2PL entities (sociedades entre pessoas, or SEPs) as a ency for Financial Services.455 In India, the RBI addressed new category of financial institution requiring them to be the lack of P2PL regulation by deeming P2PL operators to licensed by the Central Bank of Brazil.445 SEPs may only be “non-banking financial companies”.456 Once regulated facilitate direct loans between lenders and borrowers and as such, operators were made subject to a set of conduct not act as a lender using their own funds.446 requirements specific to P2PL.457 The approach in the United Kingdom is arguably somewhat similar, although the FCA has integrated dedicated P2PL requirements in existing rule sets. Peer-to-Peer Lending   81 In Indonesia OJK has adopted a different hybrid financial services legislation was likely to apply to P2PL approach to regulating P2PL activities, incorporating activities. ASIC issued guidance to confirm that where a an aspect of self-regulation. Providers of “information P2PL operator allows “retail investors” to invest in P2PL technology–based loan services” are required to be reg- through a managed investment scheme, the operator is istered with and licensed by OJK458 and are subject to required by the Corporations Act to register the scheme rules issued by OJK, including existing regulations on and obtain an Australian financial service license. Provid- FCP-related matters. However, applicants for licensing ing ancillary financial services, such as financial product and registration are also required to provide proof of advice, would also require a license in Australia. As a membership with an industry association appointed by license holder, the operator would also have a range of OJK,459 such as the Indonesian Joint Funding Fintech conduct obligations under the legislation. Association (AFPI), and confirmation from the associa- tion that the applicant pledges to comply with its code b)  Fraud or other misconduct of ethics and has not previously breached it. The Fintech P2P Lending Code of Conduct recently issued by AFPI Risks to consumers was drafted in consultation with OJK and is intended to Consumers may suffer loss under a variety of circum- address a number of FCP-related matters, such as infor- stances involving poor conduct or outright misconduct mation disclosure and complaints handling. AFPI can by P2PL operators, including by their staff, their man- expel members for a violation of its code of conduct, agement, or service providers acting on their behalf. which then renders the relevant entity ineligible to con- Loss of funds due to fraud is an extreme, if not infrequent, tinue to hold their license from OJK. example. Losses may also result from negligence or lack of competence. Leverage regulatory guidance Regulators may use guidance to address uncertainty Such risks obviously are not unique to P2PL, but regarding the coverage of P2PL by existing frame- various aspects of P2PL ’s development, and its rela- works. In the United States, the securities regulator tive novelty, can contribute to their increase. A con- chose to send industry a strong signal with regard to sumer may lack the ability, or information, to be able the application of existing regulation to P2PL. Approxi- to assess the competence and integrity of the P2PL mately a decade ago, the SEC entered into a cease-and- operator with which they are considering dealing. The desist order against a major P2PL platform, signaling EBA made the point that it might be difficult for lend- to the market that such platforms were making public ers/investors and borrowers in a particular jurisdiction offerings of “securities” and were therefore subject to to find independent information about the reputation the 1933 Securities Act460 (thus incurring securities-re- of platforms where operators do not require regulatory lated registration and reporting requirements, among permissions to operate platforms and are not subject to others). According to commentators, one of the practical legal information or disclosure requirements. The EBA results of this intervention, besides the exit of some plat- also noted that a lender/investor is unlikely to be in a form providers from the market, has been a change in position to assess a platform’s reputation or probity for business models to favor investment-based, rather than themselves.467 In China, it was similarly highlighted that, direct-lending, models.461 In Japan, similarly, the typical prior to recent reforms, low barriers to entry meant the P2PL model involves the operator providing credit funded quality of sector participants varied significantly, creat- by investors under “silent partnership contracts.”462 The ing major risks for participants.468 By the end of 2017, regulator requires the operator to be registered as a following a significant tightening of regulation (which so-called Type II Financial Instruments Business Opera- some have criticized), 3,600 platforms had already dis- tor under the Financial Instruments and Exchange Act463 continued operations, as many had difficulty in meeting to be permitted to solicit investment from investors in clients’ demands for cash withdrawals or had manage- the form of a collective investment scheme.464 Australian ment abandon the business.469 authorities have not made significant reforms for the pur- poses of extending regulatory coverage to P2PL activi- Regulatory approaches ties. As noted above, this is because federal consumer Licensing and vetting and competence requirements credit and financial services legislation already applies Some regulators have sought to develop new require- largely on an activities basis. However, given the nov- ments, or extend existing requirements, to ensure elty of P2PL arrangements in the market, ASIC consid- appropriate vetting of prospective P2PL operators, ered it necessary to form a working group specifically including their management and staff. The EBA rec- focusing on P2PL matters465 and to develop detailed ommends that mitigants to address these risks should guidance466 to confirm how existing consumer credit and include requiring platforms to be authorized by a national 82   Consumer Risks in Fintech financial supervisory authority or at least to be registered have appropriate internal risk-control mechanisms.475 with an authority. Mexico’s Financial Technology Institutions Law similarly makes demonstrating implementation of controls for Mere registration, simply involving recording informa- operational risk a key aspect of being authorized as a tion about entities without any form of entity vetting, P2PL operator, as well as more specifically fraud preven- is unlikely to be sufficient to address relevant risks. As tion.476 As discussed in the next section, regulators have the EBA also notes, additional measures could comprise also increasingly imposed more specific risk manage- checking that the individuals managing a platform meet ment requirements targeting particular risks, such as with appropriate standards for competence, capability, integ- regard to information technology security.477 rity, and financial soundness.470 This should be the case both when first applying for authorization and on an ongo- Client funds segregation and handling requirements ing basis while they continue to be authorized. For exam- Regulatory requirements obliging P2PL operators to ple, the RBI requires P2PL operators to ensure that they segregate client funds and deal with them only in pre- meet fit and proper criteria at the time of their appoint- scribed ways could also assist in addressing risks of loss ment as well as, importantly, on an ongoing basis. Periodic in this context, such as reducing opportunities of fraud. reporting to the regulator on such matters is required as Such requirements are discussed in more detail below in well as supporting declarations and a deed of covenant.471 the context of addressing the risks of operator insolvency and business failure. In China, recent reforms now mean that P2PL plat- form operators are required to go through multiple Compensation funds stages of authorization. These include obtaining a Some authorities and commentators have considered business license from the relevant branch of the State compensation funds as a potential mitigant in the Administration of Industry and Commerce, followed by event of loss. However, as discussed later in this chapter, registration with the relevant branch of the financial reg- their adoption for P2PL does not seem to be widespread, ulatory authority, and then application for a telecommu- so it is difficult to discuss emerging approaches as to their nications business permit from the relevant branch of the structure or operational arrangements. Ministry of Industry and Information Technology.472 Some key vetting criteria seem to have been left to provincial c)  Platform/technology unreliability or vulnerability governments to determine; one provincial government proposed a provision that would encourage, albeit not Risks to consumers require, a P2PL platform to have strong shareholders and Consumers frequently face some risk of harm or loss to engage senior management with rich work experience from interruptions or failures in an FSP’s systems and in financial institutions.473 While it is of course important processes, but in a P2PL context, the risk may be sig- to ensure that authorization and vetting requirements for nificantly higher, given the extent to which lenders/ operators are sufficiently stringent to address the risks investors and borrowers rely on an operator’s systems for consumers they deal with, it is also important that and technology. Relevant harms may include loss or they be as efficient and transparent as practicable for inconvenience caused by platform malfunctions or delays. participating entities. They may also comprise third-party fraud due to vulnera- bility to cyber risks. A working group of BIS’ Committee Risk management and governance requirements on the Global Financial System noted that fintech credit Regulators are increasingly subjecting P2PL oper- platforms may be more vulnerable than banks to certain ators to obligations to have in place adequate risk operational risks, such as cyber risk, due to their reliance management and governance arrangements. In the on relatively new digital processes.478 United Kingdom, P2PL operators are subject to sev- eral overarching obligations (known as the “Principles As highlighted by the EBA, risk of loss from technical for Businesses”) that apply to authorized firms, one of issues affecting a platform is relevant to both lenders/ which is that they must take reasonable care to organize investors and borrowers due to factors such as unavail- and control their affairs responsibly and effectively, with ability of systems, networks, or data and loss of data adequate risk management systems.474 Drawing from integrity.479 The extent of such risks to platforms is likely this principle, the FCA has issued more extensive gen- to depend on a number of factors, including the platform eral obligations and guidance with regard to risk man- operators’ level of sophistication, mechanisms used for agement. As a result, P2PL operators are expected to storing client information, and the robustness of cyberse- have effective processes to identify, manage, monitor, curity arrangements. Another aspect of platforms that can and report the risks they might be exposed to and to give rise to additional risk is significant reliance on third- Peer-to-Peer Lending   83 party providers, with potential disruption of outsourced Competence requirements services.480 General competence requirements of the kinds already described above can assist to ensure that P2PL opera- Regulatory approaches tors and their management and staff are appropriately competent with regard to relevant technical risks. Some General risk management requirements regulators are also targeting such risks with more specific As discussed above, regulators are increasingly sub- competence requirements. For example, OJK specifically jecting P2PL operators to general risk management requires a P2PL operator to have in place staff with exper- and governance obligations. The expectations imposed tise and background in information technology.486 by such requirements would clearly also target the need for operators to address risks related to platform/technol- ogy unreliability and vulnerabilities. d)  Business failure or insolvency Targeted risk management and operational reliability Risks to consumers requirements A consumer lender/investor may risk losing their com- To promote more effective risk management, P2PL mitted loan principal, or repayments owed to them, operators are also being made subject to risk man- that are being held or administered by a P2PL oper- agement obligations targeting specific categories ator who goes insolvent or whose business otherwise of risk, such as technology-related risks. In Indonesia, fails. When consulting on proposed regulatory reforms OJK requires a P2PL operator to meet obligations with for P2PL, the FCA said it considered P2PL operators to regard to its information technology and the security of present a high risk of consumer harm, given that they may that technology, risk management, and resilience to sys- hold or control client funds before lending these to bor- tem interference and failures.481 Detailed requirements rowers. It also noted that, if an operator were to fail, it was prescribed by OJK include rules on establishment of a extremely likely that there would be loan contracts that disaster-recovery center, acquisition and management of had not matured, resulting in the continued receipt and information technology, and incident management and holding of funds on behalf of lenders/investors.487 Indone- implementation of security measures. OJK has also allo- sia’s OJK similarly highlighted a concern with the need to cated specific responsibilities to a P2PL operator’s board protect investor funds against such loss.488 for information-technology risks. China’s Interim Measures for the Administration of the Business Activities of Online Borrowers can also face risks of losing funds under Lending Intermediary Institutions require registration, such circumstances. A borrower may miss out on receiv- testing, and implementation of P2PL platforms’ informa- ing funds intended for them from lenders/investors as a tion systems that are appropriately reliable and secure. result of the operator’s insolvency. The EBA pointed out The Interim Measures specify a range of matters that must the risk of a lender/investor’s funds not being transferred be addressed by operators, such as firewalls, intrusion to the intended borrower if the platform is not required detection, and data encryption as well as broader con- to hold appropriate regulatory authorizations, and have in cerns with regard to information-technology risk manage- place adequate arrangements, to safeguard such funds.489 ment and resourcing.482 Depending on the legal relationships between the par- ties, borrowers may also suffer loss of funds that they are Outsourcing-related risk management seeking to repay through the platform but do not reach Given the extent to which P2PL platforms tend to out- lenders/investors. source a range of their functions to third parties,483 an important risk management obligation on operators Individual lenders/investors run the risk of suffering can be to take appropriate steps to avoid additional losses in the event of a P2PL operator’s business fail- operational risk resulting from such outsourcing. The ure (regardless of cause), even if their assets are ring- RBI’s rules for P2PL operators set out obligations for fenced from the operator’s insolvency as discussed operators to ensure sound and responsive risk manage- above. Both the International Organization of Securities ment practices for effective oversight, due diligence, Commissions and the European Commission have high- and management of risks arising from outsourced activi- lighted research that points to business failure and plat- ties.484 Ensuring that operators remain legally responsible form collapse as some of the biggest perceived risks for to consumers for outsourced functions can also assist— investors and, to some extent, borrowers, associated with as provided, for example, by the new EU regulation on P2PL.490 Business cessation can mean that even individual crowdfunding (including P2PL for business purposes). 485 loans that remain viable may not continue to be adminis- tered properly, causing corresponding loss. As the FCA 84   Consumer Risks in Fintech explains, even if the platform fails, existing loans and within which to hold investor and borrower funds. investments still need to be administered: repayments Both the RBI in India and OJK in Indonesia have man- or dividends need to be allocated appropriately among dated that P2PL platforms operate escrow accounts for lenders/investors, and late payments by borrowers have this purpose. The Indian regulator requires separate to be followed up on.491 An investor can suffer consider- escrow accounts (to be held in trust with banks) for funds able harm if a P2PL platform ceases to provide manage- received from lenders/investors pending disbursal to ment and administration services. In practical terms, this borrowers and funds collected from borrowers. All fund can mean an individual lender/investor may not receive transfers in each direction are required to be undertaken some or all of the repayments for the loans that they made through bank accounts.499 The Indonesian regulator or invested in through the platform unless they retrieve requires having “virtual” accounts for each lender/inves- payments directly from borrowers themselves. This seems tor as well as each borrower.500 In Korea, new P2PL legis- impracticable and uneconomical generally, but particu- lation also requires that operators keep investment funds larly where an individual’s investment is across a portfolio and loan repayments separate from their own funds and of loans to which rights are also held by others.492 hold these at a bank or other appropriate institution.501 While it might be possible for an administrator or liqui- In the United Kingdom, the FCA similarly confirmed dator to direct a transfer of a platform’s loan book and that funds held by a P2PL platform from clients for investor account portfolio to another platform opera- the purposes of lending out to borrowers and, in turn, tor, this can result in significant losses for investors.493 repayments from borrowers to be provided back to Inadequacy of a P2PL platform’s wind-down arrange- clients are regarded as client money held on behalf of ments in the event of platform failure are certainly a key clients in relation to investment business. Any firm that concern.494 However, so is deficient recordkeeping even holds client money in connection with such business does when the platform is operating, which can make it diffi- so as trustee and is required to make adequate arrange- cult at any time to determine which loans and repayment ments to safeguard it. Key requirements in this regard streams relate to which investors.495 include that the platform operator would be required to deposit such funds at an appropriate institution (that is, a Regulatory approaches bank), keep records and accounts, and conduct appropri- ate internal and external reconciliations, so the platform Segregation of consumers’ funds operator can always distinguish between funds held for A key safeguard, already typically required to protect different clients.502 Jurisdictions in the European Union client funds in some other contexts internationally, is take equivalent approaches.503 the requirement that investor and borrower funds be segregated from other funds held by a P2PL operator. Recent reforms in China mandate separation of plat- In addition, such funds are typically required to be held form operators’ funds from those of lenders/investors by an entity appropriately regulated, including with regard and borrowers. Commentators note that a significant to capital requirements, for the purposes of handling and driver for this requirement was scandals caused when safeguarding such funds.496 As highlighted by the EBA, the P2PL operators absconded with consumers’ funds.504 The main alternatives entail either the platform operator being CBIRC’s Guidelines for Online Lending Fund Depository appropriately authorized and regulated to hold such funds Business505 clarify that P2PL platforms must acquire cus- before it is permitted to undertake money-handling activ- todian services for the purposes of holding segregated ities on investors’ behalf, or the operator having to ensure funds from commercial banks. (However, to encourage that a separate, appropriately regulated entity handles banks to provide such services and to address concern those funds on investors’ behalf.497 Consistent with this, the that they may be held liable for matters outside their con- European Commission’s proposed regulations for crowd- trol, it is also made clear that custodian banks will not be funding (including certain P2PL) would allow P2PL opera- legally liable for matters such as lending assessments and tors, or their third-party providers, to hold client funds and defaults).506 A P2PL platform may have only one custodian. provide related “payment services” only if the relevant entity is a regulated payment service provider. Alterna- Client money handling requirements tively, the P2PL platform arrangement would need to oper- Another at least partial mitigant to the risk of losing ate on the basis that client funds are dealt with through funds due to operator insolvency or business failure regulated third-party payment service providers.498 are client money-handling requirements that spec- ify how, and within what time frames, funds must be A range of regulators have mandated that P2PL transferred to lenders/investors from borrowers (for platform operators administer segregated accounts example, as repayments are made) and to borrowers Peer-to-Peer Lending   85 from lenders/investors (for example, at loan-funding to general requirements, as authorized firms, to keep stage). Such rules can be complementary to, and bolster, orderly records of their business, including all the ser- the benefit of ring-fencing requirements, minimizing the vices and transactions undertaken. These must be suffi- time during which funds may be subject so insolvency risk. cient to enable the FCA to monitor their compliance with For example, the Brazilian authorities require—in addition all client obligations. Relevant to the risk discussed here, to the keeping of escrow accounts—that funds be trans- the FCA points out that such recordkeeping must ade- ferred to lenders/investors within one day of funds being quately reflect and support the complexity of its business paid by borrowers and to borrowers within five days of model, expressing an expectation that the granularity of funds being made available by lenders/investors, and to information about individual clients’ investments hold- be segregated until such transfers are made.507 ings should be immediately retrievable.511 Such records could therefore better support a third party for business Business continuity and hand-over/resolution continuity purposes. requirements A regulatory measure that can also help to address Risk management and competence requirements potential loss due to business failure is the require- Risk management and competence requirements ment for platform operators to have in place business described above to mitigate risk of loss due to plat- continuity and resolution arrangements. In France, plat- form unreliability or vulnerability can also assist in this form operators are required to enter into a contract with context. They may not only assist with reducing the risk a third-party payment institution to ensure such business of business failure but also place a P2PL in a stronger continuity.508 To address relevant risks in the case of per- position to address adverse consumer impacts of such manent, rather than temporary, platform failure, the EBA a failure. suggests that the platforms should be required to have resolution plans in place, to allow loans to continue to be e)  Inadequate credit assessments administered.509 Risks to consumers In the United Kingdom, rules imposed by the FCA Both P2PL borrowers and lenders/investors face sig- require a P2PL operator to have arrangements in place nificant risk of harm if appropriate credit assessments to ensure that P2P loans will continue to be managed are not undertaken in relation to prospective bor- and administered on an ongoing basis and in accor- rowers. Providing unaffordable loans can result in over- dance with the contract terms even if the platform indebtedness for borrowers and losses from borrower ceases to carry out those functions. The FCA has issued defaults for lenders/investors. Deficient credit risk assess- detailed rules and guidance setting out the operational, ments can also affect the appropriateness of pricing legal, and financial aspects that such arrangements must decisions by a platform operator; that is, lenders/inves- take into account. It would also be important to document tors may not be compensated commensurately with the such arrangements effectively for parties that step in for level of credit risk they are exposed to. A micro or small the operator at the relevant time. The FCA’s most recent enterprise, such as a sole trader or small partnership, reforms introduced rules requiring operators to prepare borrowing for business-related purposes may also be and maintain a manual containing information about their assessed incorrectly by a P2PL platform and, as a result, operations that would assist in resolving the platform in attract less interest from potential lenders/investors.512 the event of its insolvency. The “P2P resolution manual” would have content similar to that required for so-called Consumers on both sides of P2PL arrangements can living wills required for systemically important financial be heavily reliant on assessments by the platform to institutions.510 Depending on the P2PL business model, ensure that loans fit within parameters they are com- such arrangements should cover the management of fortable with.513 As discussed in the chapter on digital both the loan portfolio and, if relevant, the corresponding microcredit, the use of algorithms for the purposes of investment portfolio. credit assessments can give rise to various risks. Such risks could be even greater for a consumers dealing with P2PL Record-keeping requirements platforms that rely on novel and untested credit assess- Recordkeeping arrangements are also likely to be ment models.514 a key regulatory approach in this context, although they are obviously crucial more broadly to support the P2PL platforms have also been seeking to leverage integrity of a P2PL platform’s operations. For exam- big data analytics and non-traditional data sources. ple, P2PL operators in the United Kingdom are subject This is particularly the case in relation to platforms whose 86   Consumer Risks in Fintech business models focus on expanding credit access to bor- Access to adequate credit reporting and scoring rowers. A recent WBG discussion note canvasses various arrangements for operators potential consumer risks associated with uses of alterna- The effectiveness of credit assessment obligations on tive data beyond traditional credit reporting sources.515 P2PL platform operators could be diminished if opera- There may be potential weaknesses and gaps in the con- tors do not have access to effective, fair credit report- text of such credit assessments undertaken by P2PL plat- ing and scoring arrangements. For example, traditional forms. (This can depend in part on the credit reporting lenders often have the advantage of being able to lever- and broader data ecosystem in a particular jurisdiction.) age long-term lending or other banking relationships to The data used by platforms to assess borrower risk may model credit risk. Newer entrants such as P2PL platforms not be as comprehensive as that used in traditional lend- may lack such data.522 In the context of the P2PL crisis that ing, or if platforms have expanded into new borrower seg- developed in China, commentators noted that no com- ments, they may have access to poorer default data.516 prehensive personal credit system was accessible to P2PL Expansion of credit access is of course an important aim platforms. Platforms lacked access to the existing credit with regard to financial inclusion and financial access. reporting system run by the central bank, and commer- However, it is important that credit assessments be under- cial credit reporting for P2P lenders was still being devel- taken on a sufficiently rigorous basis regardless of the data oped.523 The importance of P2PL operators having access and methods used. to such information was highlighted repeatedly, partic- ularly given the lack of credit-related data held within Regulatory approaches the industry, in part impaired by its short track record.524 While this paper is not intended to canvass the range Creditworthiness assessment requirements for operators of issues that need to be addressed to ensure effective Creditworthiness assessment requirements are a key credit reporting and scoring arrangements, this is an area mitigant against unaffordable lending, and in a P2PL of significant complementarity to creditworthiness assess- context, it seems crucial that such obligations apply to ment obligations. It is therefore important that regulators the entity in the best practical position to undertake consider the adequacy of the credit reporting and scor- such assessments. This is usually the P2PL operator, rather ing ecosystem in their jurisdiction alongside the develop- than an individual consumer, regardless of whether they ment and implementation of FCP measures. The ICCR has are technically the lender under a relevant arrangement.517 recently issued a range of relevant guidance, including on The FCA introduced rules that require a P2PL operator to the implementation and operation of credit reporting and undertake creditworthiness assessments for non-mortgage scoring arrangements in developing countries lacking for- P2PL equivalent to those that would need to be undertaken mal data sources.525 by a traditional licensed lender. The rules set out detailed requirements on the information that should be obtained and verified by the platform operator about the borrow- Conflicts of interest between platform operators f)  er’s income, expenditures, and other circumstances for the and lenders/investors or borrowers purposes of such an assessment, and how the assessment should be made. Where the P2PL operator is a conduit for Risks to consumers a licensed lender, both entities would have such obliga- Conflicts of interest can affect many dealings between tions. Although the UK market for P2P consumer mortgage consumers and FSPs, but certain characteristics of partic- lending had not yet developed, the FCA more recently ular P2PL business models can be especially conducive to also extended its existing conduct rules for such lending conflicts of interest between operators and lenders/inves- to any P2PL platform that may offer home loans.518 The tors or borrowers. FCA has also imposed obligations on P2PL operators to undertake a reasonable assessment of the credit risk of the Conflicts of interest leading to imprudent lending borrower before the P2PL agreement is made where the assessments by platform operator operator determines the price of a P2P loan.519 The RBI has Where a P2PL operator’s revenue is heavily dependent similarly imposed obligations on P2PL operators to under- on fees for generating new loans (as is often the case), a take credit assessment and risk profiling of borrowers and potential conflict of interest that can arise is a tendency disclose the results of these to prospective lenders/inves- to weaken credit assessment standards to increase tors.520 The Act on Online Investment-Linked Finance and loan approvals. This can result in higher risks of loss than Protection of Users recently introduced in Korea requires expected by lenders/investors, as well as imprudent lend- P2PL operators to confirm borrowers’ income, assets, and ing that can expose borrowers to subsequent hardship. liabilities and prohibits them from lending in excess of the borrower’s ability to repay.521 Peer-to-Peer Lending   87 Many P2PL platforms earn fees from originating loans ary management. In the United Kingdom, such transfers while their lenders/investors bear the burden of any were found to be taking place without taking into account loss, creating an inherent conflict of interest.526 Fees the value of the loans at the time of transfer (in extreme frequently charged by platforms that can contribute to cases, loans already in default were being added to an such a conflict include origination fees (for example, as investor’s portfolio without any consideration of what a percentage of the loan amount) at the time of loan reduction in valuation would be required) or, when facil- origination and servicing fees (for example, as a percent- itating the transfer of prefunded loans arranged by the age of capital due) paid during loan reimbursement.527 operator or related party, without considering conflicts ASIC found in several periodic P2PL surveys that P2PL of interests.534 operators were generating most of their revenues from loan origination, while ongoing fees (such as linked to Conflicts from intra-platform arrangements loan repayments) made up a much smaller proportion.528 Conflicts detrimental to lenders/investors may also Platform operators themselves highlighted that they arise from the structures behind certain platforms or needed to manage the potential conflict between the from other arrangements internal to the platform. For interests of investors in not wanting credit assessment example, in a business model where the operator, or an standards lowered and those of operators who want to affiliated party, prefunds loans and then sells them through enable more borrowers to qualify for loans to generate the platform to individual lenders/investors while retaining additional fees.529 In addition, some platforms charge a stake, lenders/investors may be agreeing to receive only debt collection fees in relation to P2P loans, such as a a portion of the interest that the borrower is paying. percentage of the amount recovered, which can com- pound such conflicts of interests. Where the platform operator, or an affiliated party, can also invest in loans offered through the platform, they A bias toward making riskier loans can also be com- may have advantages over ordinary lenders/investors. pounded when trying to satisfy demand for higher Such advantages may include, for example, better or prior returns from investors.530 The FCA and other commen- access to loan selection (allowing “cherry-picking”) or tators have also noted that a greater propensity to adopt access to information about prospective borrowers, and looser credit assessment standards may be influenced by how they have been assessed, not available to other lend- a platform’s desire to grow their market share quickly to ers/investors.535 achieve commercial viability.531 Regulatory approaches Conflicts of interest leading to unfair or inappropriate General conflict mitigation obligations loan pricing A key mitigant would be to require P2PL operators P2PL operators are providing retail investors access to to implement adequate policies and procedures and asset types to which many such investors have previ- effective organizational and administrative arrange- ously had limited, if any, exposure.532 Even if investors ments designed to prevent conflicts of interest from understand the risks associated with such investments (an harming the interests of their clients. Such obligations important issue discussed separately below), the rate of would encompass expectations that operators take return they should expect remains a key issue. The FCA appropriate steps to identify and manage, or prevent, identified as a particular area of concern in its market conflicts of interest within their organization, such as con- P2PL models the situation in which the operator facilitates flicts between the interests of their management, staff, loans on behalf of investors and sets the loan price but it or agents and those of their clients, or conflicts that the is not clear that the interest being paid by borrowers is platform arrangements may create between different cli- appropriately linked to the credit risk they pose or that ents. For example, as a credit licensee under Australian the return received by investors reflects the investment legislation, a P2PL operator would be subject to a gen- risk they are actually prepared to take. Given this poten- eral obligation to have in place adequate arrangements tial disconnection between the risk taker and price setter, to ensure that its borrower clients are not disadvantaged there was a greater risk of harm for lenders/investors if by any conflict of interest that may arise wholly or partly credit assessments and pricing decisions were not under- in relation to credit activities engaged in by the operator taken properly.533 or its staff or agents.536 As a financial services licensee, they would be subject to (slightly different) general obli- Some P2PL platforms may transfer loans to investors gation to have in place adequate arrangements for the in inappropriate ways, such as when reassigning loans management of conflicts of interest affecting lenders/ between investors as part of an operator’s ongoing investors arising from the operator’s, or their staff or administration of loan portfolios under its discretion- agents’, provision of financial services.537 In the United 88   Consumer Risks in Fintech Kingdom, one of the “Principles for Businesses” apply- as important both when setting the interest rate (for ing to all authorized firms would require a P2PL operator new loans) and when calculating the present value of to manage conflicts of interest fairly, both between itself a loan (interest and principal) for existing loans being and its customers and between customers.538 The new EU transferred to a different investor.545 The FCA has pre- regulation on crowdfunding (including P2PL for business scribed strict rules on, first, carrying out a reasonable purposes) requires an operator to maintain and operate assessment of the credit risk of the borrower before effective internal rules to prevent conflicts of interest and a P2P loan is made. Such rules cover a range of mat- to take all appropriate steps to prevent, identify, man- ters that the operator must, or may, have regard to age, and disclose conflicts of interest between the oper- when undertaking a risk assessment. They include such ator, their shareholders, their managers or employees, aspects as the information to use, whether and to what and other related parties and their clients, or between extent to verify such information, and the character- one client and another client.539 istics of the credit.546 The rules then set out detailed requirements on loan pricing, loan allocation, and port- Conflicted remuneration restrictions folio composition that include determining a fair and Another important general mitigant is requiring P2PL appropriate price having regard to the loan’s risk pro- operators to have in place policies to ensure that staff file and taking into account the time value of money or management incentives do not encourage conflicted and relevant credit spread. Operators are expected to behavior. This would include ensuring that incentives for use appropriate data and robust modelling for such staff undertaking or overseeing credit assessments (or purposes.547 Relevant operators are also required to designing those credit assessments, such as where these review loan valuations under prescribed circumstances, are automated) are not based on volumes and take into including when they facilitate an investor’s exit before a account loan quality and overall performance. loan has matured, as well as when loans default or seem likely to do so.548 Duties to act in consumers’ best interests An additional potential approach would be to impose In some jurisdictions, restrictions or prohibitions have duties on operators to act in accordance with the been applied on P2PL operators or associates invest- best interests of clients and prospective clients. Such ing in loans facilitated by their platforms. Regulations as duty already exists in some jurisdictions. The new EU in China—which limit P2PL operators to intermediating regulation on crowdfunding imposes such a duty toward loans made directly between lenders/individuals and both lenders/investors and borrowers.540 In the United borrowers—prohibit operators from making any loans Kingdom, another “Principle for Businesses” to which themselves (and from attempting to disguise any lending authorized P2PL operators must adhere is to pay due on their own account).549 Indonesian regulations similarly regard to the interests of customers, as well as treating prohibit operators from acting as lenders (or borrowers).550 them fairly.541 In Australia, a P2PL operator operating a managed investment scheme is required to act in the Creditworthiness assessment requirements for operators best interests of the members of that scheme.542 How- Obligations on P2PL operators to undertake appro- ever, imposing such an obligation with regard to bor- priate creditworthiness assessments, already dis- rowers remains less prevalent. For example, Australia cussed above, can also mitigate against the risk of recently introduced a best-interests obligation toward conflicts leading to inappropriate lending decisions. borrowers under its consumer credit legislation limited These would ensure that the operator’s conduct would only to mortgage brokers.543 align with the interests of both lenders/investors and borrowers to make only loans assessed appropriately for Obligations targeting specific conflicted circumstances affordability. Authorities have also been implementing restrictions that target specific circumstances giving rise to con- flicts, such as fee setting and loan pricing policies. In ADDITIONAL CONSUMER RISKS 5.3  Brazil, P2PL operators are subject to an obligation to FOR LENDERS/INVESTORS adopt fees and charges policies consistent with viable lending, to ensure convergence of their own interests a)  Inadequate investment-related information and those of their clients.544 In the United Kingdom, Risk: Inadequate upfront information operators with responsibility for pricing loans have been obliged to have a mechanism in place to ensure The unavailability of adequate information about pro- that the pricing offered to lenders/investors accurately spective P2P loans, or a P2PL operator’s proposed reflects the credit risk of the borrower. This was viewed services, can mean that lenders/investors lack an ade- Peer-to-Peer Lending   89 quate basis to make informed investment decisions. In ing sufficient understanding of the marketplace lending addition to a P2PL operator’s failure (intentional or other- product when deciding to participate.555 Familiarity with wise) to provide such information, a range of factors affect traditional lending, including as a borrower, may also this risk in a P2PL context. contribute to a false sense of confidence that the risks are understood. Operators may lack information about loans and related arrangements necessary to produce appropri- Lenders/investors may also rely excessively on a plat- ate disclosures regarding risks and returns. Platforms form operator’s risk assessments or loan selection. need to have the right systems and controls to gather This issue can be exacerbated under circumstances necessary information.551 This includes information about where the regulatory framework in fact does not impose borrowers that is also needed for the purposes of cred- sufficient obligations on the operator to undertake such itworthiness assessments and loan pricing as discussed assessments.556 Even when the operator is subject to above. Even if P2PL operators are required or willing to such obligations, it is important for lenders/investors to publish such information, they may not necessarily have understand the practical limitations of these assessments extensive historical data to publish or on which to base and limitations on the legal responsibility of the oper- relevant disclosures.552 Lenders/investors may not appre- ator for losses. A lack of standardization in Europe for ciate the significance of a lack of data in assessing the risk information regarding credit assessment methods has of their investments, particularly if a platform has oper- been identified as one of the factors making it difficult ated only during more positive economy times. for lenders/investors to assess and compare the quality of platforms.557 In addition to a lack of adequate information about risks and returns, lenders/investors may not receive R  egulatory approaches to address inadequate adequate information about the fees and charges upfront information associated with the services that the platform oper- ator is providing. Charging structures in the P2PL sec- Disclosure requirements tor can be opaque. Fees and charges may be incurred Disclosure rules covering key matters such as expected by lenders/investors for loan origination, for various risks and factors affecting returns have been high- aspects of ongoing servicing of loans, and for contin- lighted as a key regulatory measure to ensure that gent events such as late payments. Operators’ charging appropriate information is available up front to lend- structures may be based not only on fees associated for ers/investors.558 Regulators in wide-ranging jurisdictions, individual services or events but also on receiving as a such as in China and the United Kingdom, have imple- variable margin a differential between the money due mented information content requirements for disclosures to lenders/investors who take on the credit risk and the that P2PL operators must provide in advance either to money paid by borrowers in interest. This can be par- the public at large or to individual lenders/investors. In a ticularly significant if the margin taken by the platform recent survey of regulators on alternative finance, ensur- significantly erodes the return for the lender/investor ing accurate and complete communications and provid- taking on that risk.553 ing standardized information were identified as some of the most prevalent regulatory measures.559 Investors/lenders may also lack awareness or apprecia- tion of the illiquidity of their P2PL investments. A par- The Chinese authorities have recently prescribed ticular P2PL platform may not offer them the ability to exit extensive disclosure requirements for P2PL as part of their investment at any given point in time or to gain early major regulatory reforms to address some of the signif- access to the funds they have invested/lent. icant problems that arose in their market. Following the issuance of the Interim Measures for the Administration Risks associated with a lack of information can be of the Business Activities of Online Lending Intermediary exacerbated by how lenders/investors’ behavioral Institutions560 discussed above, the then CBRC issued a biases manifest themselves in relation to P2PL. P2PL Guide to the Disclosure of Information on Business Activi- can offer less experienced lenders/investors access to ties of Peer-to-Peer Lending Information Intermediaries.561 asset types to which many of them may have previously The guide specifies requirements for P2PL operators to had limited or no exposure.554 Such lack of familiarity provide to investors, or the public more generally, a wide can contribute to investors not understanding the true range of information.562 Importantly, these disclosure nature of the risks of such lending, even if they have requirements apply in a context where Chinese P2PL experience investing in other assets. ASIC identified that platforms are permitted to facilitate only direct lending in the Australian market a key risk was investors not hav- between lenders/investors and borrowers. A P2PL opera- 90   Consumer Risks in Fintech tor is required to disclose an extensive range of informa- • The relevant loan, such as the proposed amount, term, tion to the public, including the following: and purpose of the loan, the repayment method, annual interest rate, basis on which the borrower will • Registration information: This comprises a range of infor- repay the loan, and any guarantee. mation recorded as part of its registration and licensing, such as details regarding that registration and license, • The operator’s risk assessment and possible risk out- and information about the bank where the funds man- comes identified in relation to the loan.564 aged in relation to the platform are held and about the operator’s risk management arrangements (including its The FCA’s progress in strengthening disclosure require- risk management framework, risk-assessment process, ments in this context illustrates some important con- and collection methods, among other details). siderations. When it was first given responsibility for regulating P2PL in the United Kingdom, the FCA decided • Organization information: This comprises a range of to treat investments on P2PL platforms in a manner similar information about the entity and its business, such as to other investments, making them subject to the same name and address details, and information about its generic disclosure rules.565 These included obligations capital, key personnel, including directors and man- applying to all communications with retail investors, such agement, business scope, shareholders, branches as an obligation that they must indicate any relevant risks (including contact details and complaints hotline num- when referencing potential benefits.566 They also included ber), and all of its electronic channels. having to provide retail clients with the following kinds of • Examination information: The operator is required to information in good time before the operator provides a disclose annually information such as their financial relevant service and their client makes a relevant transac- audit and regulatory compliance examination reports tion through the platform: (and update it if there are any changes from time to • Matters such as the operator’s authorization and time). contact details, conflicts of interest policy and client • Information about past and current loans: This com- money safeguards, performance reports the client prises a range of information relating to the P2P loans should expect, and costs and charges.567 that the operator has intermediated previously, includ- ing total number of loans and borrowers and total • A description of the nature and risks of the relevant amount of loans since formation, current number of investments in sufficient detail to enable the client loans and borrowers and total amounts outstanding, to make investment decisions on an informed basis. amount and numbers of loans overdue, proportion Although, as discussed below, the FCA declined to of outstanding loan balances that relate to the top mandate standardized form and content of disclosures 10 borrowers and the largest single borrower, similar (as was the case for collective investment schemes), information regarding loans made to related parties of the FCA did choose to provide guidance in its rules, the operator, as well as information about repayments offering detailed examples of information that P2PL made by another party as a result of the borrower’s operators advising on P2P loans or loan portfolio default, and details of the fees collected by the oper- should provide to explain relevant specific nature and ator from borrowers and standards for the calculation risks. The range of examples listed includes expected of such fees.563 and actual default rates, a description of how loan risk is assessed, whether a P2P loan benefits from any The Chinese authorities have also imposed detailed security and, if so, what, and an explanation of proce- obligations on operators to provide various precon- dures to deal with loans in default.568 tractual information about individual loans to prospec- tive lenders/investors. (Such obligations would of course Several years after P2PL operators became subject be relevant to P2PL business models allowing individual to these disclosure requirements, the FCA said that it loan selection by a lender/investor, rather than a P2PL had seen numerous examples of poor disclosures that business model where the operator manages loan port- needed to be addressed through more granular dis- folios on an investor’s behalf.) Prior to a lender/investor closure requirements.569 In recently strengthening disclo- committing to lend, the operator is required by to provide sure requirements, the FCA sought to focus further on the them with information about the following matters: need for lenders/investors to have sufficient information about the risks they were exposed to by participating in • The borrower, such as type of entity and industry, rev- P2PL, the nature of the investment opportunities, and enue and liabilities, overdue payments in the last six the role of the platform operator. As a result, it has now months recorded on their credit report, and other P2P imposed a range of additional detailed disclosure require- loans they hold. Peer-to-Peer Lending   91 ments on P2PL operators, including to provide lenders/ crowdfunding platforms (including P2PL operators) investors with the following:570 to disclose in relation to financing offers information about relevant analysis and other variables useful for • A description of the role of the platform operator, lenders/investors to make informed investment deci- particularly so lenders/investors are able to under- sions. In addition, the regulations prescribe items of stand the services being provided by the platform, information that must be disclosed by P2PL operators including key matters in relation to which they have facilitating loans for personal purposes between indi- responsibility and how they will discharge that viduals, including, in addition to loan details, risk ratings responsibility (such as price determination, assem- accompanied with a simple explanation of the method- bly of loan portfolios, and dealing with late repay- ology to determine them, arrangements related to risk ments or defaults).571 sharing, and information about the applicant, such as • Information about what could happen to the ongoing income sources.576 Mexico’s National Commission for administration of P2P loans and portfolios in the case the Protection and Defense of Users of Financial Services of platform failure.572 (CONDUSEF) also recently introduced detailed manda- tory content requirements for agreements below a pre- • Information about the investment that is made scribed monetary threshold.577 through a P2PL platform. The FCA mandates detailed minimum content requirements for information that The Brazilian authorities have also implemented spe- a platform operator must provide in relation to P2PL cific disclosure requirements for P2PL operators to agreements, varying (depending on the P2PL business provide to lenders/investors. Operators must display model) according to whether loans are to be selected prominently on their website and other electronic chan- by the lender/individual investor directly or selected nels and also include in contracts, advertising and pro- for the lender/investor by the operator.573 motional materials, and other consumer documents information about the nature and complexity of relevant Some regulators have prescribed less detailed disclo- P2PL services.578 Operators must also provide prospective sure rules than found in China or the United Kingdom, lenders/investors with expected rates of return, taking but the rules they have implemented also contemplate into account expected payment flows, taxes, fees, insur- that P2PL operators must provide the public or pro- ance, and other expenses.579 To inform prospective lend- spective lenders/investors with broad-ranging infor- ers/investors of the performance of loans facilitated by a mation. The RBI requires that P2PL operators disclose to platform, an operator must publish on a monthly basis the lenders/investors details about the borrower, including average default rates over the last 12 months for loans relating to their identity, the amount sought, the inter- they have facilitated, by risk classification.580 They must est rate sought, and the credit score determined by the also include a range of details to be provided to lenders/ operator, as well as details about all the terms and con- investors in P2P loan agreements regarding the loan and ditions of the loan, including likely return fees and taxes. the rights, obligations, and responsibilities between the In addition, operators are required to disclose publicly investor, borrower, and platform operator.581 on their website an overview of their credit assessment/ score methodology and factors considered, disclosures Under new legislation on P2PL passed by Korean on usage/protection of data, information about grievance authorities in 2019, P2PL operators are required to redressal mechanisms, portfolio performance, including provide lenders/investors with a range of information, share of non-performing assets on a monthly basis and including information relating to P2P loans, borrowers, segregated by age, and their business model.574 Similarly, risks relating to P2P loans, fees, rates of return, and Indonesia’s OJK mandates various disclosure require- debt collection procedures.582 In addition, they must ments, such as regarding the required minimum content publicly disclose information regard their transaction of agreements between a P2PL operator and individual structure, financial and business status, loan amounts, lenders/investors, and regarding information about indi- systems for evaluating borrowers’ ability to repay loans, vidual loans.575 As discussed above, OJK also requires that default rates, interest rates, fees and other changes, and applicants to become an online lender provide proof of repayment collection methods.583 membership in a fintech association, such as AFPI, whose code of ethics also mandates disclosure requirements. Mandated warnings and disclaimers As commentators often rightly note, warnings are Regulations made by the Mexican Banking and Secu- not a substitute for other measures to assist lenders/ rities Commission (Comisión Nacional Bancaria y de investors to make informed decisions, but obliging Valores, or CNBV) impose a general obligation on P2PL operators to provide certain warnings or dis- 92   Consumer Risks in Fintech claimers in key contexts can nevertheless highlight despite acknowledging otherwise—perhaps unwitting- risks for consumers and assist in balancing out inap- ly—a consumer may not in fact have been made appro- propriately optimistic perceptions. A now common priately aware of relevant risks. It is also important to international practice is to require platform operators to keep such measures from creating an erroneous per- warn lenders/investors that their returns are not guar- ception in FSPs or consumers that they shift the onus anteed and that they could lose their investment if the to mitigate relevant risks from the former to the latter borrower receiving the loan fails. Additionally, oper- more generally. ators must also state that the funds invested are not protected by a deposit-guarantee scheme. 584 Focusing Risk: Information is provided in an inadequate on another area of frequent concern, P2PL operators format in the United Kingdom are subject to general rules on A lack of uniform, well-designed standards for convey- disclosure of past performance that include providing a ing information may mean that information is not effec- prominent warning that past performance is not a reli- tively conveyed by P2PL operators. Even if lenders/ able indicator of future results.585 In the United King- investors are provided with sufficient information when dom, platforms that offer contingency funds (to cover considering investing in P2PL, they may not be able to some losses that lenders/investors may suffer in invest- identify the most important information out of the range ing through a platform) are also required to provide an of accessible information. A commentator notes that in up-front warning containing wording prescribed by the the United States, lenders/investors are offered dozens of regulator.586 The FCA has also prescribed where (in a categories of information that can be material or imma- prominent place on every page of each website and terial, verified or unverified, voluntary or mandatory.591 A mobile application available to lenders/investors con- lack of standardization also makes it difficult to compare taining any reference to a contingency fund, or where or assess the risks and returns of competing investment relevant in other documents in good time before any options.592 business is carried out for that lender/investor) and how (contained within its own border and with bold text as Shortcomings can relate to both the format of disclo- indicated) such a warning must be displayed.587 In a sure and the way content is formulated. A commenta- similar vein, the Brazilian authorities require that P2PL tor noted that in Europe, platforms might publish details operators display on their website and other electronic such as gross interest rates, bad debt rates, and default channels, as well as in promotional materials, contracts, on their websites. However, methods used to calculate and other consumer documents, a prominent warning risk-adjusted net returns differed considerably between that P2P loans constitute risky investments and are not platforms due to a lack of common standards for perfor- subject to deposit insurance.588 P2PL agreements must mance of P2PL investments.593 Of course, platform opera- also specify that the platform operator is not liable and tors also may not make sufficiently clear the methodology does not provide any type of guarantee in connection used to make such calculations. with repayment of a loan.589 Regulatory approaches to address inadequate In some jurisdictions, warnings are also coupled with disclosure formats acknowledgments from lenders/investors. The RBI To address risks that information may not be conveyed requires P2PL operators to obtain explicit confirmation effectively to lenders/investors, or may not be eas- from a prospective lender/investor that they understand ily comparable, some regulators have also imposed the risks associated with the proposed transaction and requirements for how information must be presented. that there is no guarantee of return and that there exists a However, these tend to be relatively general rules for likelihood of loss of the entire principal in case of default matters such as how information should be displayed by a borrower, including a summary sheet.590 The Brazilian and positioned on websites. For example, disclosure authorities similarly require that P2PL agreements include requirements imposed by authorities in Brazil include an an acknowledgment from the lender/investor that they obligation that relevant information be displayed prom- are aware of the risks of the relevant transaction loan and inently on relevant electronic channels.594 Requirements financing. that apply in China include that mandated disclosures must be set out in a dedicated, conspicuous section of It would be important to ensure, however, that any websites and equivalent electronic channels.595 such warnings or acknowledgments are not seen by regulators or P2PL operators as reducing the need Some regulators have implemented requirements for to address consumer vulnerabilities. For example, certain disclosure documents to be provided to lend- Peer-to-Peer Lending   93 ers/investors in a standardized format. CONDUSEF in closure of Information on Business Activities of Peer-to- Mexico has mandated a standardized format for a sum- Peer Lending Information Intermediaries601 states, among mary sheet that must be provided in or with P2PL agree- other things, that prescribed information must meet such ments.596 However, such requirements do not appear to general criteria as being accurate and not contain mis- be as widespread as information content requirements. leading statements or major omissions.602 Even regulators who have developed very detailed con- tent requirements for P2PL disclosure, such as in China Regulators have also sought to use more targeted or the United Kingdom, do not seem to be mandating regulations to address circumstances that present a standardized formats for such disclosure yet. The FCA higher risk of misleading lenders/investors. For exam- consulted publicly on whether it would be helpful to ple, a P2PL operator in the United Kingdom is subject to consumers and industry to have a standardized format rules on the disclosure of past performance to mitigate for P2PL disclosures (such as the key investor informa- the risk of inappropriate reliance by lenders/investors tion document it mandated for collective investment (for example, a restriction on giving it prominence in a schemes). However, it concluded that, due to the range communication, parameters regarding how indicators of of views received from stakeholders and the perceived such performance may be determined, and a prominent difficulty in standardizing information in a meaningful warning as to its value).603 They are also subject to rules way for a diverse sector, it would not develop a standard on disclosure of comparative information in relation to template but would keep the issue under review. The investments. As an example of inappropriate comparisons FCA’s view was that consumers’ difficulties in comparing that would be in breach, the FCA cites making direct com- information across platforms was primarily due to the parisons between investing money in P2PL and holding diverse nature of the sector, not to the lack of a stan- money on deposit.604 dardized format. Avoiding mandating a standardized format would, in its view, ensure that disclosures would Some regulators have sought to leverage general mis- be appropriately tailored to the specific characteristics leading conduct and fair treatment prohibitions to tar- of a platform’s business model and service offering and get specific issues affecting P2PL through associated allow sufficient flexibility to accommodate the continued guidance. This is particularly important where, given the evolution of the sector.597 novelty of the business models and offerings involved, it could be less clear to industry whether communications Risk: Unbalanced or misleading marketing may mislead consumers. For example, the Financial Mar- It is not unusual for P2PL operators, as is often the case kets Authority of New Zealand issued a guidance note with other FSPs, to highlight positive aspects to attract titled “Fair Dealing in Advertising and Communications— lenders/investors and expand their market share. At the Crowdfunding and Peer-to-Peer Lending” for licensed most concerning end of the spectrum would be provid- crowdfunding and P2PL platforms. The note is intended ing information that, by action or omission, is misleading to give guidance on the application to crowdfunding and to investors. It was observed during the development of P2PL products of the general fair dealing requirements the Chinese P2PL market that P2PL operators focused on in the New Zealand Financial Markets Conduct Act. The aspects such as average returns if they appeared attrac- guidance focuses on matters such as the need to balance tive, without highlighting associated risks sufficiently.598 representation about risk and reward in the context of Similarly, the regulator and other commentators in the such platforms and providing performance information United Kingdom highlighted concerning practices such as appropriately, giving contextualized examples.605 In the promoting past performance without warning that it was United Kingdom, in addition to implementing detailed not an indicator of likely future performance and making regulatory requirements with regard to the disclosure, inappropriate comparisons between investing funds in the FCA has repeatedly issued guidance on P2PL prac- P2PL and placing them on deposit.599 tices that could mislead consumers and thus should be adjusted. For example, it has highlighted P2PL platforms Regulatory approaches to address unbalanced or that offer a target rate of return promoting maximum tar- misleading marketing get rates in ways that lenders/investors might easily mis- take for fixed or guaranteed returns.606 In Australia, ASIC General prohibitions against providing misleading has highlighted similar issues in guidance targeted at P2P information are an important measure in FCP regu- lenders that also relies on existing obligations under FCP latory frameworks generally600 and clearly relevant in legislation of general application to consumer credit and relation to P2PL. Where a separate regulatory regime other financial products.607 is developed for P2PL, such general prohibitions would be appropriate. In China, the CBIRC’s Guide to the Dis- 94   Consumer Risks in Fintech Risk: Inadequate ongoing information tion, fraud, or other incidents affecting its operations in Even if lenders/investors receive adequate informa- a manner that may damage borrowers’ interests, or if tion prior to entering into P2PL credit and investment their management or other key staff or representatives agreements, they may not be provided with adequate are subject to circumstances such as litigation, investi- ongoing disclosure of material changes to their loans, gation by law enforcement, or criminal or major admin- such as borrower defaults.608 As a result, they may be istrative sanctions.615 Such disclosures must include the less able to make appropriate ongoing decisions regard- possible impact of an event and measures being taken ing their investments and to react to adverse changes. to address it. Regulatory approaches to address inadequate Harm due to lenders’/investors’ lack of b)  ongoing information sophistication or inexperience Jurisdictions are increasingly requiring P2PL opera- tors to provide lenders/investors with ongoing infor- Risks to consumers mation about their individual loans/investments, as Even if lenders/investors are provided with adequate well as other matters relating to the platform that information about P2PL, they may be exposed to may affect those loans. In China, a P2PL operator must harm due to a lack of investing skills or sophistication. provide to lenders/investors, on a monthly or quarterly This risk can be exacerbated by the fact that, as already basis (depending on loan term), prescribed ongoing discussed above, P2PL often entails more complex and information in relation to their individual loans, includ- riskier aspects than widespread or simpler types of ing changes to the borrower’s financial circumstances investments that consumers may be familiar with. For and repayment ability, any overdue repayments and example, as noted by the EBA, the assessment of a P2PL additional charges imposed on the borrower, and other opportunity can require a fairly thorough and profound matters that may affect their position.609 In Brazil, lend- analysis and understanding of a potential borrower. A ers/investors must similarly be provided with ongoing lender/investor would need a certain level of financial lit- information about defaults relating to their loans.610 The eracy to be able to make a fully educated decision about regulations in Mexico also mandate the ongoing provi- a specific investment opportunity.616 Even assuming, as sion of information to lenders/investors regarding their discussed earlier, that the P2PL operator undertakes a loans, such as the current status of the loan and the bor- credit assessment of a borrower, to make effective deci- rower’s repayment performance.611 In the United King- sions an investor must be able to understand sufficiently dom, operators must ensure that, at any point in time, a both the implications of the operator’s assessment and lender/investor is able to access a range of details about its limitations. It may also be the case that a P2PL oper- each of their loans, such as pricing, the borrower’s inter- ator does not have sufficient information or understand- est rate, a fair description of the likely actual return, tak- ing about an individual investor/lender’s lack of skills or ing into account fees, default rates and taxation.612 These sophistication. This may be due to a lack of effort or the are in addition to existing general obligations to provide unavailability of data. lenders/investors with written confirmations of transac- tions and periodic statements.613 Regulators have also expressed concern about the risk that P2PL may expose lenders/investors to excessive Lenders/investors may also benefit from periodic losses having regard to their financial and other per- updates regarding the general performance of the sonal circumstances. The FCA noted recently (but pre- P2PL operator, as well as notices of adverse events. COVID-19) that, while losses and defaults in their P2PL P2PL operators in the United Kingdom that set the price sector had been low, it was important to recognize that of loans/loan investments must publish an annual “out- the sector both was relatively new and had not been comes statement” that includes the expected and actual through a full economic cycle. When economic conditions default rate of all P2P loans by risk category, a sum- tighten, losses on loans could increase.617 While the FCA mary of the assumptions used in determining expected could not quantify the number of lenders/investors at risk future default rates, and actual returns achieved (where of overexposure, in a survey of 4,500 investors, 40 per- a platform offered a target rate).614 Operators in China cent said they had invested more than their total annual are required to disclose publicly within 48 hours if they income, and, of those, half had invested more than dou- have been affected by any of a range of adverse cir- ble their annual income.618 Unfortunately, the impact that cumstances, such as bankruptcy events, cessation or the COVID-19 crisis is having on P2PL is demonstrating suspension of business operations, significant litiga- the potential impact of downturns.619 Peer-to-Peer Lending   95 Regulatory approaches In addition, where no advice is given to a retail client in relation to investing in P2PL (which itself would need Lending/investment caps and appropriateness to comply with regulatory requirements as to its appro- requirements priateness), the operator must undertake an appropri- Many jurisdictions have implemented investment or ateness assessment before the client can invest in P2PL. lending caps for lenders/investors.620 These limits fre- The operator is required to determine whether the client quently apply only to lenders/investors that are consid- has the necessary experience and knowledge in order ered less sophisticated or otherwise more vulnerable. to understand the risks involved in relation to the P2PL Lending/investing caps can be implemented on a variety opportunity being offered.625 The FCA has included of bases, such as permitting a lender/investor to invest a guidance with its new rules suggesting a range of mul- maximum amount per borrower, within a certain period of tiple-choice questions (avoiding binary yes/no answers) time or depending on their income or assets.621 Interna- that operators should consider asking clients. They tionally, the level of such caps varies significantly. relate, for example, to the client’s exposure to the credit risk of the borrower, their potential loss of capital, and As is the case with other retail investor protection mea- their understanding that investing in P2PL is not compa- sures, a lender/investor’s income or assets are often rable to depositing money in a savings.626 used as proxies to indicate greater vulnerability or lesser sophistication. This link may not necessarily always The FCA’s decision to apply these restrictions appears be borne out in practice. Nevertheless, setting caps on to reflect its evolving views—drawing from its moni- such a basis can also assist to protect lenders/investors toring of the lending market—regarding the risks that from losses that may have a greater financial impact on P2PL presents for more vulnerable lenders/investors. lower levels of assets or income. In 2013, the FCA had indicated that its approach to mit- igating relevant risks was to place a particular focus on Another approach to address such risk can be to require the quality of P2PL operators’ disclosure, including finan- a P2PL operator to evaluate the financial literacy, and cial promotions. However, following a review in 2018, the relevant experience and knowledge, of individual FCA expressed views that many of the risk characteristics lenders/investors and categorize them accordingly. A inherent in the investment-based crowdfunding market lender/investor would be permitted to invest only in lend- also existed in the P2PL sector, and that those characteris- ing deemed suitable for their risk categorization.622 tics could similarly expose lenders/investors to potentially unsuitable, risky assets.627 There was significant industry The FCA recently decided to extend to P2PL marketing resistance to the application of these restrictions to P2PL. restrictions that already applied to investment-based Respondents to public consultations argued that impos- crowdfunding.623 The application of the restrictions ing a marketing restriction was a disproportionate and depends on both prospective clients’ experience and “blunt tool” to achieve the FCA’s stated consumer pro- sophistication, as well their financial circumstances. The tection objective.628 However, the regulator maintained restrictions also take into account whether clients may be its view that the restrictions—particularly the investment receiving regulated investment advice that could also act cap for restricted lenders/investors—were an important as a mitigant against lack of experience or sophistication. means of ensuring that retail investors who are new to the The new rules mean that P2PL operators are permitted P2PL asset class do not overexpose themselves to risk. to promote P2PL opportunities to retail clients only under Investors could always be reclassified as sophisticated one the following circumstances: investors (removing the 10 percent investment limit) • If clients are certified or self-certified as “sophisticated when they had more experience. The FCA also consid- investors” or are certified as “high-net-worth investors”. ered whether it would be possible to apply the proposed marketing restrictions in a targeted way, only to platforms • If the operator confirms before a promotion is made with the riskiest investment strategies. However, it dis- that, in relation to the investment being promoted, the missed this option, finding significant practical challenges retail client will receive regulated investment advice or in doing so.629 investment-management services from an authorized person. Concerns that P2PL opportunities should be made • If the retail client will be certified as a “restricted inves- available only to lenders/investors for whom they are tor,” which means that they will not invest more than deemed appropriate were echoed recently by com- 10 percent of their net investible assets in P2P loans in mentators in China given adverse developments in the 12 months following certification.624 that market. 630 The Chinese authorities similarly intro- duced rules requiring P2PL operators to apply restric- 96   Consumer Risks in Fintech tions on lenders/investors’ access to P2PL opportunities was to provide an overall investment cap of ₩50 mil- depending on their personal circumstances. However, lion. However, prior to the legislation coming into effect, they have not prescribed particular categories of investor the responsible authorities under the legislation (the restrictions based on which such restrictions should apply. Financial Services Commission and Financial Supervisory Rather, the Interim Measures for the Administration of the Service) announced new regulations under the law that Business Activities of Online Lending Intermediary Insti- would impose a new lower limit for individual lenders/ tutions require an operator to carry out an assessment of investors of ₩30 million, taking into account increased the age, health, financial status, investment experience, levels of credit risk amid the COVID-19 crisis.640 risk preference, and risk-bearing capacity of a prospec- tive lender/investor. The operator is required to establish Borrowing limits its own lending limits and restrictions on lending subject Some jurisdictions have implemented caps on the matter that it applies to individual lenders/investors based amount that individual borrowers may borrow through on their risk-assessment results.631 Such an approach P2PL platforms, as another way to reduce credit risk places a significant onus on P2PL operators to identify and thus ultimately risk of loss to lenders/investors on appropriate investor categories that will not subsequently a platform. The Chinese authorities’ Interim Measures be viewed as in breach of requirements by the authorities. for the Administration of the Business Activities of Online They may also result in significant variation in approaches, Lending Intermediary Institutions impose a general obli- potentially leading to gaps in protection or differences in gation on P2PL operators to set limits on individual bor- market performance. rowers’ total loan balances with individual platforms and across platforms. In addition, they specify caps on the The RBI has imposed a general obligation on P2PL total loan balances a borrower may hold through any operators to undertake due diligence on lenders/inves- single platform of ¥200,000 for natural persons and ¥ tors without prescribing restrictions based on specific 1 million for legal persons. Limits of ¥1 million and ¥5 characteristics.632 However, it has also imposed both a million have been set for total loan balances of a natural cap on the total loans that a lender/investor may make person or a legal person, respectively, across multiple of ₹1 million and a cap of ₹50,000 on a lender/investor’s platforms.641 Commentators in China have noted that exposure to any individual borrower.633 The rules intro- these lending limits are viewed as a key regulatory tool duced by the Brazilian authorities take a similar approach, introduced under the Interim Measures, consistent with imposing a cap for unsophisticated investors of R$15,000 the policy view (stated in the Interim Measures them- per borrower on the same platform.634 They also impose a selves) that P2PL is generally intended to be undertaken general obligation on operators to analyze the risk profile for small-value finance. They are also aligned with limits of prospective lenders/investors to determine if P2PL is under separate regulation prohibiting illegal public fund- suitable for that risk profile.635 raising. However, industry participants have also com- plained that the limits that have been set may unduly The implementation of monetary caps on lending restrict the amount of credit being made available.642 appears to be widespread in the European Union636 and growing internationally.637 For example, in France, The RBI has imposed a cap of ₹1 million on the aggre- caps for individual lenders/investors apply of €2,000 gate P2P loans taken out by a borrower at any point per loan if interest-paying or €5,000 if interest free, in time.643 It is notable that some jurisdictions have imple- while Spain has prescribed limits on a per-loan and total mented aggregate borrowing caps across P2PL platforms. annual basis (of €3,000 and €10,000, respectively) for Of course, a key element in facilitating P2PL platforms’ unaccredited investors. Accredited investors not subject ability to monitor and adhere to such caps would be to such limits include (in addition to institutional inves- ensuring availability of reliable credit reporting informa- tors and companies that meet certain asset and turnover tion across those platforms (as noted earlier in the con- thresholds) individuals with €50,000 of annual income or text of creditworthiness assessment requirements). OJK in €100,000 of financial assets or companies.638 Regulations Indonesia has limited itself to prescribing a loan cap for made by the Mexican Banking and Securities Commis- P2PL platforms of Rp 2 billion per borrower.644 sion under Mexico’s Financial Technology Institutions Law impose limits on the percentage of a lender/inves- Compensation funds tor’s total investment in a platform that can be allocated A measure considered by some authorities and com- to a single borrower. For loans between individuals, the mentators is the implementation of contingency funds limit is 7.5 percent.639 The Korean authorities recently to provide compensation to lenders/investors in the passed a new law, the Act on Online Investment-Linked event of loss. Such a fund would be relevant, for exam- Finance and Protection of Users, that on commencement ple, where a P2P loan is unsecured or realization of the Peer-to-Peer Lending   97 security would be insufficient to cover potential losses. operator to deny access to their platform if they have rea- However, their adoption—at least as a regulatory mea- son to believe that a borrower might potentially act fraud- sure—does not seem widespread. Most jurisdictions cur- ulently.648 Such measures should also be partial elements rently do not appear to regulate such funds that may be of compliance with broader obligations discussed earlier offered for individual P2PL platforms.645 in the chapter to have in place appropriate risk manage- ment systems. Authorities have expressed concerns regarding the effectiveness of such funds as well as their potential Beyond FCP requirements, P2PL operators should of downsides. The FCA noted that some P2PL platforms course be subject to mitigating obligations under a operating in its jurisdiction offered contingency funds jurisdiction’s AML/CFT laws. These would require them intended to top up payments made to lenders/investors to apply “know your customer” systems and processes to in the event of a borrower’s default. While acknowledg- prospective borrowers. ing the intention to protect lenders/investors, the FCA expressed concern (echoed by other commentators)646 Creditworthiness assessment requirements that such funds can lead them to misunderstand that The creditworthiness assessment requirements also platforms are providing a guaranteed return on the loans already discussed above could act as a mitigant against they facilitate, driven by potentially misleading advertis- borrower fraud. As a commentator notes, an additional ing or claims with regard to such funds. Another con- benefit of requiring appropriate verification of borrower cern raised relates to the variation in the ongoing level information for the purposes of credit-risk and creditwor- of funding for such funds. As a result, while the FCA thiness assessments is that such verification can also assist decided not to prohibit P2PL platforms from operating in mitigating against the risk of fraudulent borrowers.649 a contingency fund, it made clear its expectations that operators not rely on them in place of good risk man- agement and that operators run them appropriately ADDITIONAL CONSUMER RISKS 5.4  and explain their operation and limitations properly to FOR BORROWERS potential investors. It also noted that in the United King- dom, if a contingency fund is designed to provide lend- a)  Inadequate loan-related information ers/investors with an enforceable right to claim against it Risks to consumers for losses arising on borrower default, then providing the fund could constitute the provision of insurance, attract- Regulators in a range of jurisdictions, such as the Euro- ing corresponding regulatory requirements.647 This issue pean Union650 and China,651 have recognized the risks of would also be relevant under other jurisdictions’ insur- borrowers on P2PL platforms not receiving adequate ance regulatory regimes. information or being misinformed with regard to their loans. This can lead borrowers to unwittingly take up unsuitable loans or not to understand their rights or obli- c)  Borrower fraud gations in relation to such loans. Such risks can arise in part if, as discussed above, P2PL is not adequately covered Risks to consumers by existing FCP requirements addressing transparency Lenders/investors could suffer the loss of their funds if and disclosure, as well as product design and suitability these are provided to fraudulent borrowers. This may requirements for credit products. Such requirements may result not only where an applicant is an impostor intend- also require tailoring to P2PL activities to be effective. ing to abscond with the funds as soon as an application is approved but also if aspects of an application from a genu- Regulatory approaches ine borrower are fraudulent, such as their declared income. Extend application of existing traditional credit Regulatory approaches disclosure requirements Existing borrower disclosure requirements that Risk management requirements already apply to credit provided by traditional lend- The risk management requirements already discussed ers could address at least some information needs of above could also act as a mitigant against borrower P2PL borrowers. For example, in the United States, the fraud. Obligations on a P2PL platform operator to obtain lender of record for a P2P loan is subject to the provisions not only appropriate identification information about bor- of TILA. TILA requires lenders to provide borrowers with rowers but also information about matters such as their specified information regarding the T&C of their loans financial status and potential criminal background would as well as changes to these in a prescribed standardized obviously assist in this context, as would requiring the format. The prescribed information differs depending 98   Consumer Risks in Fintech on the nature of the loan being made. Commentators relating to their loan T&C; Indonesia’s OJK prescribes noted that previously it would have been more diffi- a list of content requirements for P2PL agreements. cult to ensure compliance with the TILA requirements CONDUSEF has mandated a standardized format for a in a P2PL context where the lender of record were the summary sheet that must be provided in or with P2PL individual lenders/investors. However, the registration agreements.657 On the other hand, while, as discussed requirements imposed by the securities regulator dis- above, the Chinese authorities have implemented an cussed above have effectively forced P2PL operators extensive disclosure regime for P2PL as part of recent to issue loans to borrowers in the operator’s own name, reforms, particularly with regard to disclosures to lend- making them subject to TILA disclosure requirements.652 ers/investors, the regime does not appear to set out P2PL operators that offer credit to Australian consumers significant prescriptive requirements for disclosures to would similarly be subject to precontractual and con- borrowers (although it does require disclosure of a range tractual disclosure requirements. They include, among of information to the public more generally).658 other things, obligations to provide to consumers doc- uments known as “credit guides” when proposing to b) Risks from digital provision of P2PL credit provide credit-related services. A credit guide must pro- vide a range of information about the credit services, Chapter 4 (on digital microcredit) discusses a range such as details of the relevant credit licensee, potential of important risks that arise from, or are exacerbated fees, charges, and commissions, and complaints-res- by, the provision of credit through digital means. They olution mechanisms.653 They also include content and include, for example: form requirements for “precontractual statements” and • Obstacles to conveying information effectively via dig- “information statements” to be provided to a consumer ital means (see section 4.2). before a credit contract is entered into, as well as for final credit contracts.654 • Significant risks emerging from greater reliance on automated decision-making and the use of algorithms Tailored disclosure requirements (see section 4.5). Some jurisdictions have sought to address gaps in Such risks and corresponding regulatory approaches are existing borrower disclosure regimes by developing also highly relevant to the provision of credit through a requirements specific to P2PL. The Indian655 and Indo- P2PL platform. nesian656 authorities, for example, have obliged P2PL operators to provide borrowers specific information NOTES 406 Balyuk, “Financial Innovation and Borrowers,” 7. 407 ASIC, Survey of Marketplace Lending Providers (Report 526), para 17–18. 408 See, for example, ASIC, Marketplace Lending. 409 See, for example, FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 1.14. 410 See, for example, EC, Crowdfunding Explained, 14. 411 Karakas and Stamegna, “Defining an EU-Framework,” 107. 412 Such as “P2P marketplace lending”—see, for example, Owens, “Responsible Digital Credit.” 413 Committee on Global Financial System and Financial Stability Board Working Group, FinTech Credit, 11. 414 Committee on Global Financial System and Financial Stability Board Working Group, FinTech Credit, 11–13. 415 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 3.9–3.2. 416 CCAF, Global Alternative Finance Market Benchmarking Report, 24. 417 Financial Times, “Ant Posed Threat to China’s Centralised Control.” 418 Duoguang, “Growing with Pain,” 42; Huang, “Online P2P Lending,” 65–68. See also World Bank Group, Capital Markets and SMEs, 60–61. 419 Liu, “Dramatic Rise and Fall.” 420 Cornelli et al., Fintech and Big Tech Credit, 9–10. 421 World Bank Group and CCAF, Regulating Alternative Finance, 59. 422 Owens, “Responsible Digital Credit,” 8–9. 423 See Huang, “Online P2P Lending,” 77. 424 Hornby and Zhang, “China’s Middle Class.” Peer-to-Peer Lending   99 425 Financial Times, “Ant Posed Threat to China’s Centralised Control.” 426 Megaw, “Peer-to-Peer Groups Battle”; Makortoff, “Peer-to-Peer Lender Funding Secure.” 427 FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 1.14. 428 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 3.2–3.3. 429 See, for example, Rahman, “‘They Terrorized Me Every Day.’” 430 See, for example, Faridi, “P2P Fintech Lending Sector in Indonesia.” 431 Central Bank of Ireland, Consumer Notice on Crowdfunding. 432 EBA, “Opinion of the European Banking Authority,” para 118–119. 433 EC, Crowdfunding in the EU Capital Markets Union, 27. 434 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP19/14), para 4.1–4.4. 435 Davis and Murphy, “Peer-to-Peer Lending,” 37. 436 See National Consumer Credit Protection Act 2009 (Cth) (Australia), ss. 6 and 29 (requirement to be licensed if undertaking credit activities). The Act also applies a broad range of conduct and disclosure obligations when engaging in credit activities involving consumers. 437 See Corporations Act 2001 (Cth) (Australia) s. 911A and Chapter 7, Division 4 (requirement to be licensed if providing financial services) and s. 601ED (requirement to register a management investment scheme). The Act also applies a broad range of conduct and disclosure obligations, primarily when providing financial services to retail clients. 438 Samitsu, “Structure of P2P Lending and Investor Protection.” 439 Money Lending Business Act No. 32 of May 13, 1983 (Japan). 440 Money Lending Business Act No. 32 of May 13, 1983 (Japan), Chapter II; CCAF, Third Asia Pacific Region Alternative Finance Industry Report, 80–81. 441 As part of the transfer of responsibility for consumer credit regulation from the Office of Fair Trading (which had licensed a limited number of P2P lending platforms) to the FCA. 442 Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (SI 2001/544) (UK), art. 36H, and FCA, FCA’s Regu- latory Approach to Crowdfunding (and Similar Activities), para 2.8. 443 Intergovernmental Fintech Working Group, IFWG Fintech Workshop 19–20 April 2018, 22. 444 See, for example, FCA Consumer Credit Sourcebook—October (UK), 4.3 and 5.5A. 445 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil). 446 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 14. 447 See Ehrentraud et al., Policy Responses to Fintech, 17. 448 Guiding Opinions on Promoting the Healthy Development of Internet Finance 2015 (China), art. 2. 449 Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China). 450 Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China), art. 10. See also Duoguang, “Growing with Pain,” 52–53. 451 Online Investment-Linked Finance and Protection of Users Act 2019 (Korea); Shin & Kim, “National Assembly Passes New Law.” 452 Emergency Decree No. 013-2020-JUS/DGTAIPD 2020 (Peru), Title IV. 453 Financial Technology Institutions Law 2018 (Mexico). 454 Financial Technology Institutions Law 2018 (Mexico), art. 15–16. 455 Law on Transparency for Financial Services, 15 June 2007 (Mexico). 456 Reserve Bank of India, Report of the Working Group on FinTech and Digital Banking, para 5.1.1. 457 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India). 458 Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services (Indonesia), Chapter II Part 4. 459 Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services (Indonesia), art. 48. 460 Securities Act 1933 15 USC § 77a. 461 See, for example, Lo, “If It Ain’t Broke,” 88–89. 462 Samitsu, “Structure of P2P Lending and Investor Protection.” 463 Financial Instruments and Exchange Act No. 25 of 1948 (Japan). 464 Financial Instruments and Exchange Act No. 25 of 1948 (Japan), Chapter III; CCAF, Third Asia Pacific Region Alternative Finance Industry Report, 80. 465 ASIC, Survey of Marketplace Lending Providers (Report 526), para 150–151. 466 See, for example, ASIC, Marketplace Lending. 467 EBA, “Opinion of the European Banking Authority,” para B2 and C6. 468 Duoguang, “Growing with Pain,” 50. 469 Duoguang, “Growing with Pain,” 44. 470 EBA, “Opinion of the European Banking Authority,” para 70 and 71. 471 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 15. 100   Consumer Risks in Fintech 472 Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China), Chapter II; Guide to the Administration of Recordation and Registration of Peer-to-Peer Lending Information Intermediaries (issued on October 28, 2016 by the China Banking Regulatory Commission and other authorities). See also Huang, “Online P2P Lending,” 73–74. 473 Peer-to-Peer Lending Information Intermediaries of Guangdong Province—Detailed Implementation Rules for Recordation and Registration (Exposure Draft issued on 14 February 2017). See also Huang, “Online P2P Lending,” 73–74. 474 FCA Principles for Businesses—October 2020 (UK), 2.1.1R (Principle 3). 475 FCA Senior Management Arrangements, Systems and Controls Sourcebook—October 2020 (UK), 4.1.1R and 7.1.3R. 476 Financial Technology Institutions Law 2018 (Mexico), art. 37. 477 This paper is not intended to cover prudential concerns and requirements. Of course, it is the case, however, that these over- lap with consumer risks and FCP rules. For example, for a discussion of the relevance of capital requirements to P2PL entities’ operational risks, see World Bank Group, Prudential Regulatory and Supervisory Practices, 17–19. 478 Committee on Global Financial System and Financial Stability Board Working Group, FinTech Credit, 26. 479 EBA, “Opinion of the European Banking Authority,” para F1, 45, and 83. 480 Committee on Global Financial System and Financial Stability Board Working Group, FinTech Credit, 26. 481 Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Ser- vices (Indonesia), art. 25; Financial Services Authority Circular Number 18/SEOJK.02/2017 Regarding Information Technology Risk Management and Management in Information Technology-based Lending (Indonesia). 482 Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China), art. 18. 483 See, for example, ASIC, Survey of Marketplace Lending Providers: 2016–2017, para 21. 484 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), annex . 485 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 9(3). 486 Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services (Indonesia), art. 14. 487 FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.19. 488 OJK, “OJK Issues Regulation on IT-Based Lending Services,” 2. 489 EBA, “Opinion of the European Banking Authority,” para D3 and 43. 490 IOSCO, IOSCO Research Report, 16; EC, “Inception Impact Assessment,” 2. 491 FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 2.24. 492 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 3.51–3.52. 493 Davis and Murphy, “Peer-to-Peer Lending,” 40. 494 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 3.50–3.52. 495 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 4.55. 496 See, for example, Owens, “Responsible Digital Credit,” 5, 31. 497 EBA, “Opinion of the European Banking Authority,” para 79–80. 498 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 10. 499 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 9(1). 500 Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services (Indonesia), art. 24. 501 Online Investment-Linked Finance and Protection of Users Act 2019 (Korea) art. 26; Shin & Kim, “National Assembly Passes New Law.” 502 FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.34–3.36. Also see FCA Client Assets Source- book—October 2020 (UK), 7, and FCA Senior Management Arrangements, Systems and Controls Sourcebook—October 2020 (UK) 4.1.8ER. 503 See Havrylchyk, Regulatory Framework. 504 Huang, “Online P2P Lending,” 74–75; Duoguang, “Growing with Pain,” 52, 54. 505 Guidelines for Online Lending Fund Depository Business (issued on February 22, 2017 by the China Banking Regulatory Com- mission). 506 Huang, “Online P2P Lending,” 78–79. 507 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 13. 508 Havrylchyk, Regulatory Framework, 26. 509 EBA, “Opinion of the European Banking Authority,” para 69. 510 FCA Senior Management Arrangements, Systems and Controls Sourcebook—October 2020 (UK) 4.1.8DBR-4.1.8DDR. See also FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP19/14), para 2.29–2.32; FCA, Loan- Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 5.55–5.61; ASBA and IDB, Global Fintech Regulation and Supervision Practices, 22. 511 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 4.55–4.57. 512 EBA, “Opinion of the European Banking Authority,” para C7 and 48. 513 See, for example, the discussion of auto-bids and auto-selections based on parameters specified by investors and assessed by the platform against loans in Ziegler et al., Shifting Paradigms, 41. Peer-to-Peer Lending   101 514 See Committee on Global Financial System and Financial Stability Board Working Group, FinTech Credit, 26; Havrylchyk, Regulatory Framework, 22. 515 Grady et al., Financial Consumer Protection and New Forms of Data. 516 Committee on Global Financial System and Financial Stability Board Working Group, FinTech Credit, 26. 517 FCA Consumer Credit Sourcebook—October 2020 (UK) 5.5A. 518 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP19/14), para 4.1–4.6. 519 FCA Conduct of Business Sourcebook—October 2020 (UK), 18.12.5R–18.12.10R. 520 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 6(1). 521 Online Investment-Linked Finance and Protection of Users Act 2019 (Korea), art. 20; Shin & Kim, “National Assembly Passes New Law.” 522 Havrylchyk, Regulatory Framework, 23. 523 Xiao, “Improving China’s P2P Lending Regulatory System,” 462, and Huang, “Online P2P Lending,” 88. 524 Huang, “Online P2P Lending,” 88, and Duoguang, “Growing with Pain,” 50. 525 See World Bank Group and International Committee on Credit Reporting, Credit Scoring Approaches Guidelines, and ICCR, Use of Alternative Data. 526 Owens, “Responsible Digital Credit,” 18. 527 Havrylchyk, Regulatory Framework, 14. 528 ASIC, Survey of Marketplace Lending Providers (Report 526), para 67; ASIC, Survey of Marketplace Lending Providers: 2016- 2017, para 45–46; ASIC, Survey of Marketplace Lending Providers: 2017–2018, para 46. 529 ASIC, Survey of Marketplace Lending Providers (Report 526), para 11–12 and 124. 530 The Economist, “Created to Democratise Credit.” 531 Oxera, Crowdfunding from Investor Perspective, 25; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), 43 and 45. 532 Davis and Murphy, “Peer-to-Peer Lending,” 40. 533 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 4.36–4.37. 534 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 4.42–4.46. 535 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 5.39–5.40. 536 National Consumer Credit Protection Act 2009 (Cth) (Australia), s. 47(1)(b). 537 Corporations Act 2001 (Cth) (Australia), s. 912A(1)(aa). 538 FCA Principles for Businesses—October 2020 (UK),2.1.1R (Principle 8). 539 See, for example, EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 8(3)-(4). 540 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 12(2). 541 FCA Principles for Businesses—October 2020 (UK), 2.1.1R (Principle 6). 542 Corporations Act 2001 (Cth) (Australia), s. 601FC(1)(c). 543 National Consumer Credit Protection Act 2009 (Cth) (Australia), s. 158LE. 544 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 23. 545 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 4.38–4.41. 546 FCA Conduct of Business Sourcebook—October 2020 (UK), 18.12.5R-18.12.10R. 547 FCA Conduct of Business Sourcebook—October 2020 (UK), 18.12.11R–18.12.15G. 548 FCA Conduct of Business Sourcebook—October 2020 (UK), 18.12.16R–18.12.17R. 549 Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China), art. 10. 550 Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services (Indonesia), art. 43. 551 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 4.14–4.19. 552 IOSCO, IOSCO Research Report, 17. 553 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 4.28–4.33. 554 Davis and Murphy, “Peer-to-Peer Lending,” 40. 555 ASIC, Marketplace Lending. 556 EBA, “Opinion of the European Banking Authority,” para C3 and 37; also see 47. 557 Lenz, “Peer-to-Peer Lending,” 695. 558 Lenz, “Peer-to-Peer Lending,” 695-696. 559 World Bank and CCAF, Regulating Alternative Finance, 47. 560 Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China), Chapter V. 561 Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Infor- mation Intermediaries 2016 (China). 562 Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Infor- mation Intermediaries 2016 (China), Chapter II and Attachment—Explanation on the Content of the Disclosure of Information. 102   Consumer Risks in Fintech 563 Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Infor- mation Intermediaries 2016 (China), art. 7–8 and Attachment—Explanation on the Content of the Disclosure of Information. 564 Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Infor- mation Intermediaries 2016 (China), art. 9 and Attachment—Explanation on the Content of the Disclosure of Information. 565 FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.1–3.5. 566 FCA Conduct of Business Sourcebook—October 2020 (UK), 4.5.2R–4.5.5G; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.56–3.60. 567 FCA Conduct of Business Sourcebook—October 2020 (UK), 6.1; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.62. 568 FCA Conduct of Business Sourcebook—October 2020 (UK), 2.2 and 14.3; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.64–3.68. 569 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 5.65–5.66. 570 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP19/14), para 2.36–2.49. See also corre- sponding discussion of original proposals in FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20). 571 FCA Conduct of Business Sourcebook—October 2020 (UK), 18.12.24R. 572 FCA Conduct of Business Sourcebook—October 2020 (UK), 18.12.28R. 573 FCA Conduct of Business Sourcebook—October 2020 (UK), 18.12.26R–18.12.27R. 574 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 9(1). 575 Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services (Indonesia), art. 19. 576 Banking and Securities Commission—General Provisions Applicable to Financial Technology Institutions, 10 September 2018, as amended 25 March 2019 (Mexico), art. 89–90. 577 Banking and Securities Commission—General Provisions of CONDUSEF on Transparency and Sound Practices Applicable to Financial Technology Institutions, 9 July 2019 (Mexico). 578 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 17. 579 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 18. 580 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 19. 581 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 12. 582 Online Investment-Linked Finance and Protection of Users Act 2019 (Korea), art. 22; Shin & Kim, “National Assembly Passes New Law.” 583 Online Investment-Linked Finance and Protection of Users Act 2019 (Korea), art. 10; Shin & Kim, “National Assembly Passes New Law.” 584 ASBA and IDB, Global Fintech Regulation and Supervision Practices, 21. 585 FCA Conduct of Business Sourcebook—October 2020 (UK), 4.6; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.72. 586 “The contingency fund we offer does not give you a right to a payment so you may not receive a pay-out even if you suffer loss. The fund has absolute discretion as to the amount that may be paid, including making no payment at all. Therefore, investors should not rely on possible pay-outs from the contingency fund when considering whether or how much to invest.” 587 FCA Conduct of Business Sourcebook—October 2020 (UK), 18.12.33R–18.12.34R. 588 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 17. 589 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 12. 590 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 12(2). 591 Lo, “If It Ain’t Broke,” 107. 592 Owens, “Responsible Digital Credit,” 3. 593 Lenz, “Peer-to-Peer Lending,” 695. 594 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 17. 595 Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Infor- mation Intermediaries 2016 (China), art. 3. 596 Banking and Securities Commission—General Provisions of CONDUSEF on Transparency and Sound Practices Applicable to Financial Technology Institutions, 9 July 2019 (Mexico), art. 7 and Appendix 2. 597 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP19/14), para 2.40 and para 2.50–2.51. 598 Duoguang, “Growing with Pain,” 49. 599 FCA, FCA’s Regulatory Approach to Crowdfunding over Internet, para 3.75. 600 See World Bank Group, Good Practices, B1. 601 Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Infor- mation Intermediaries 2016 (China). 602 Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Infor- mation Intermediaries 2016 (China), art. 3–6. 603 FCA Conduct of Business Sourcebook—October 2020 (UK), 4.6; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.72. Peer-to-Peer Lending   103 604 FCA Conduct of Business Sourcebook—October 2020 (UK), 4.5.6R; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.74–3.75. 605 Financial Markets Authority of New Zealand, Fair Dealing in Advertising. 606 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 4.9–4.12; Owens, “Respon- sible Digital Credit,” 18. 607 ASIC, Marketplace Lending. 608 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 4.26. 609 Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Infor- mation Intermediaries 2016 (China), art. 9 and Attachment—Explanation on the Content of the Disclosure of Information. 610 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 24. 611 Banking and Securities Commission—General Provisions Applicable to Financial Technology Institutions, 10 September 2018, as amended 25 March 2019 (Mexico), art. 94. 612 FCA Conduct of Business Sourcebook—October 2020 (UK), 18.12.31R. 613 FCA Conduct of Business Sourcebook—October 2020 (UK), 16.2 and 16.4; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.76. 614 FCA Conduct of Business Sourcebook—October 2020 (UK), 18.12.21R–18.12.23R. 615 Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Infor- mation Intermediaries 2016 (China), art. 10. 616 EBA, “Opinion of the European Banking Authority,” para A1 and 28. 617 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 5.45–5.47. 618 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 5.48. 619 See, for example, Faridi, “P2P Fintech Lending Sector in Indonesia.” 620 IOSCO, IOSCO Research Report, 20. 621 EBA, “Opinion of the European Banking Authority,” para 62. 622 EBA, “Opinion of the European Banking Authority,” para 60. 623 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 1.34. 624 FCA Conduct of Business Sourcebook—October 2020 (UK), 4.7. 625 FCA Conduct of Business Sourcebook—October 2020 (UK), 10. 626 FCA Conduct of Business Sourcebook—October 2020 (UK), 10.2.9G. 627 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 1.34 and 4.61–4.63. 628 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP19/14), para 2.23–2.27. 629 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP19/14), para 2.28. 630 Huang, “Online P2P Lending,” 74. 631 Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China), art. 26. 632 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 6(2). 633 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 7. 634 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 16. 635 National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 20. 636 Lenz, “Peer-to-Peer Lending,” 699. 637 See also Havrylchyk, Regulatory Framework, 14. 638 See Lenz, “Peer-to-Peer Lending,” 699; Ehrentraud et al., Policy Responses to Fintech, 56. 639 Banking and Securities Commission—General Provisions Applicable to Financial Technology Institutions, 10 September 2018, as amended 25 March 2019 (Mexico), art. 49. 640 Bae, “S. Korea to Place Investment Cap.” 641 Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China), art. 17. 642 Huang, “Online P2P Lending,” 74, 87–89. 643 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 7. 644 Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services (Indonesia), art. 6. 645 See, for example, Havrylchyk, Regulatory Framework, 25. 646 Havrylchyk, Regulatory Framework, 25. 647 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20), para 4.66–4.71. 648 EBA, “Opinion of the European Banking Authority,” para 66. 649 Lo, “If It Ain’t Broke,” 108. 650 EC, Crowdfunding in the EU Capital Markets Union, 16. 651 Duoguang, “Growing with Pain,” 52–55. 652 Lo, “If It Ain’t Broke,” 95. 653 See National Consumer Credit Protection Act 2009 (Cth) (Australia), Part 3-1, Division 1 and Part 3-2, Division 2. 104   Consumer Risks in Fintech 654 See National Consumer Credit Protection Act 2009 (Cth) (Australia), Schedule 1 (National Credit Code) Part 2. 655 RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 9(1)(b)(ii). 656 Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services (Indonesia), art. 20. 657 Banking and Securities Commission—General Provisions of CONDUSEF on Transparency and Sound Practices Applicable to Financial Technology Institutions, 9 July 2019 (Mexico), art. 7 and Appendix 2. 658 Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Information Intermediaries 2016 (China); Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China). INVESTMENT-BASED CROWDFUNDING 6 INVESTMENT-BASED CROWDFUNDING 6.1 INTRODUCTION ment in a country appears to depend on a combination of factors, including favorable market circumstances, a a)  What is investment-based crowdfunding? facilitative regulatory framework, and a positive and inter- net-friendly business culture. The existence of an invest- Investment-based crowdfunding (equity and debt) is ing culture among retail investors, together with a steady an alternative finance solution that can address financ- stream of investment opportunities (start-ups supported ing gaps not addressed by regulated capital markets by accelerators and incubators coming to market), is also and venture capital/private equity funds. It is typically crucial. Markets with low rates of returns on traditional offered through a fintech platform business model that investments show higher promise for the development connects investors with small businesses looking to raise of crowdfunding, as it can represent an alternative and capital or borrow by issuing securities to the “crowd.” The potentially more lucrative investment opportunity. How- basic premise behind crowdfunding is to enable small ever, this can also give rise to risk—discussed in this chap- businesses to reach out to a large number of potential ter—for the consumers who make up the crowd; they may investors and offer investments in their companies. be choosing between crowdfunding opportunities and Crowdfunding opened up a new source of equity more familiar or lower-risk investments. capital for small businesses in addition to their usual investors such as family and friends, angel and venture Investment-based crowdfunding typically comprises capital/private equity investors. Small businesses seek- the following elements: ing to raise equity through crowdfunding are usually ear- • The core product/service offered is an offer of securities. ly-stage start-ups with no or limited access to other forms of equity funding due to their small size and immaturity. • This activity takes place through internet-based plat- Investment-based crowdfunding also offers an opportu- forms that typically are not standard regulated trading nity to raise funds by offering debt securities to the crowd facilities for providers of investment services. as an alternative to borrowing from an incumbent credit provider or through a P2PL platform. According to the b)  Framing the risks Cambridge Center for Alternative Finance’s recent report, the volume of equity-based crowdfunding and debt- When considering consumer/investor protection risks based crowdfunding in 2018 was $1.515 billion and $852 related to crowdfunding activities, and the potential million, respectively. The United States, the United King- approaches to address these, it is necessary to focus dom, and Europe were the largest markets.659 on two distinct activities. The first is issuing and offer- ing (promoting) securities to retail investors (the crowd). While crowdfunding has grown in major markets, the The second is providing trading-facility services (platform volume of capital raised through crowdfunding is still operations) for crowdfunded securities and potential risks small compared to its potential. The diversification of arising from such activities. potential investors also remains limited. Its develop- 106 Investment-Based Crowdfunding   107 Crowdfunding activity is typically exempt from the Similar sentiment has been leading regulators in devel- application of traditional capital markets rules, but oped and emerging economies to create customized certain limits and thresholds are placed on the activi- regulatory treatments for investment-based crowd- ties of issuers, platform operators, and investors as a funding activities. This has typically been achieved either counterbalance to such exemptions. In the absence of by introducing a specific crowdfunding exemption in the modifications to traditional capital markets regimes, or a existing capital markets regulatory framework (the US or bespoke regime, to offer an investment service a crowd- Australian approach referred to above) or by introduc- funding platform would usually have to satisfy regulatory ing bespoke stand-alone crowdfunding regulations (the requirements whose applicability depends on the type of approach in the European Union). A range of countries services offered (for example, placing of securities, oper- have introduced or are in the process of introducing ating secondary markets, providing investment advice, crowdfunding-specific rules.664 The Brazilian Securities holding client assets and managing collective investment and Exchange Commission enacted Instruction 588665 schemes). Satisfying relevant standards, such as with in 2017, regulating the activity of crowdfunding in Bra- regard to capital, management, information technology, zil. Other examples include Mexico’s Financial Technol- and so forth, can be onerous and may affect development ogy Institutions Law and accompanying regulations, the of investment-based crowdfunding platforms. Malaysian Guidelines on Recognized Markets666 (on equity crowdfunding), and the Dubai Financial Services Author- If standard capital markets rules applied, small busi- ity’s (DFSA) Rulebook, Conduct of Business Module,667 ness issuers would also typically be required to follow Chapter 11. Although investment-based crowdfunding is a specific regime for offering securities to the public only in the early stages of development in Africa, Nigeria, (for example, publishing a prospectus, acquiring nec- for example, is currently developing crowdfunding regu- essary authorizations, meeting reporting and corpo- lations.668 rate-governance requirements, and so on). In such cases, relying on “traditional” exemptions—for example, In developing appropriate enabling rules for crowd- no need to issue a prospectus if an offer is made only funding, regulators also continue to face the need to to accredited (sophisticated) investors—or offering secu- ensure appropriate protection for consumers/retail rities up to some very small threshold could nevertheless investors. Relevant risks can be heightened by two import- be so restrictive that it would hamper the development ant aspects of crowdfunding. First, investment-based of crowdfunding. This is primarily due to the compliance crowdfunding gives entities that were previously unlikely costs faced by small business issuers. to offer investments to the public, given standard capital markets requirements, the ability to do so. Second, they Growing realization of the potential for investment- can make such offers to a crowd of investors that may not based crowdfunding to allow small businesses increas- have made these kinds of investments previously. In a ed access to finance has meant that regulators around crowdfunding context, factors that can increase risks for the world have been seeking to adjust their regimes to consumers acting as investors—including the risk of losing facilitate crowdfunding without compromising investor their entire investment—can be grouped into the follow- protections. The SEC in the United States, when adopting ing four categories: regulations on crowdfunding, emphasized that the “crowd- • Investor inexperience and higher-risk nature of in- funding provisions of the JOBS Act660 were intended to help vestee companies. provide start-ups and small businesses with capital by mak- ing relatively low dollar offerings of securities, featuring rel- • The nature of securities being issued—illiquid and atively low dollar investments by the ‘crowd,’ less costly.”661 hybrid. ASIC similarly indicated that amendments introduced by • Lack of reliable information and misleading marketing the 2017 Corporations Amendment Act were intended to practices. provide a legislative framework to facilitate flexible and low- • Platform business-conduct issues. cost access to capital for small- to medium-sized unlisted public and proprietary (private) companies by reducing the Summary of risks and regulatory approaches c)  regulatory requirements for making public offers of shares, discussed in this chapter while ensuring adequate protections for retail investors.662 When the European Commission decided to introduce a Table 5 summarizes the new manifestations of con- special regulation for European crowdfunding service pro- sumer risks and corresponding regulatory approaches viders, it observed similarly that existing capital markets discussed in this chapter. rules in the European Union might be disproportionate for small activities and not fit for purpose.663 108   Consumer Risks in Fintech TABLE 5: Consumer Risks and Regulatory Approaches: Investment-Based Crowdfunding RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE Investor inexperience and higher-risk nature of investee • Require risk warnings and disclosures about key 108 companies aspects of crowdfunding • Small business and start-up investee companies may constitute • Impose issuer caps—limitations on the size of an issue a riskier investment for retail investors • Impose investor caps—limitations on individual • Investors are often unlikely to possess sufficient knowledge or investments/exposures experience, or lack access to financial advice, to assess offers • Require investor-suitability assessments to be • Investees may have majority shareholder and management undertaken by platform operators arrangements that present risks for minority shareholders such • Establish cooling-off periods for investors as external crowdfunding investors Risks relating to the nature of securities offered on crowdfund- • Prescribe disclosure requirements focused on 112 ing platforms emphasizing the illiquid nature of issued securities • Securities rarely traded on any kind of organized market and • Restrict the types of securities that can be issued may have limitations on transferability—investors may not • Impose targeted product intervention understand or are unable to deal with risk of being unable to • Require targeted warnings exit their investment • Introduce rules facilitating information exchanges and • Creation of complex hybrid securities by incorporating rights secondary trading and restrictions for security holders to match issuer’s needs Consumers are not provided with adequate information • Introduce investment-related disclosure requirements 115 • Crowdfunding issuers often tend to be small businesses or in • Introduce regulation of bulletin boards and their start-up phase with a limited track record, limiting the crowdfunding trading facilities (including secondary availability of information market) to assist information accuracy • High separation between ownership by crowdfunding investors • Apply fair marketing rules to investment-based and parties that control issuers—potential lack of information crowdfunding activities provided to crowdfunding investors • Retail investors in crowdfunding securities are also at risk of misleading marketing practices, potentially exacerbated as a result of issuers being new to making public offers Platform operator misconduct or failure • Introduce authorization and vetting requirements 119 • Platform operators and related parties may engage in • Require business/service-continuity arrangements misconduct under a range of circumstances that affect • Require segregation of client funds investors, from outright fraud to incompetent administration to • Apply management requirements of the kinds undertaking unfair conflicted behavior summarized above in the context of P2PL • Failure of a platform can leave investors without services essential to the continued integrity of their investment Issuer fraud: Consumers investing on crowdfunding platforms • Require platform operators to undertake due diligence 122 may suffer losses due to issuer fraud, such as sham offers or concealing or providing misleading information INVESTOR INEXPERIENCE AND 6.2  Such entities, however, may constitute an unsuitable, HIGHER-RISK NATURE OF excessively risky investment for some consumers. Little reliable information may be available about their business INVESTEE COMPANIES operations and financial status, even less if they are small a) Risks to consumers or in their start-up phase. Ordinary consumers may also be unlikely to have sufficient knowledge, experience, or Crowdfunding facilitates opportunities to invest in resources to conduct a satisfactory level of due diligence smaller entities that may be at early stages of devel- on the issuer to make an informed decision when investing, opment. In some jurisdictions, the ability to use crowd- or to have access to financial advice to be able to do so. funding is even limited by law to small companies and start-ups. For example, in Australia, to be eligible an Crowdfunding issuers themselves also usually do not issuer has to be an unlisted company with consolidated benefit from the professional guidance and know-how gross assets and annual revenue not exceeding A$25 offered by venture capital/private equity investors. million.669 Investment-Based Crowdfunding   109 This can make them even riskier investments than start- • Transparency in relation to fees and other charges that ups that do receive such support. a platform might charge investors. • Explanations of safeguards implemented to protect Crowdfunding issuers can frequently be closely held client funds. entities either within a family or a close group of entrepreneurs. This can make them less accepting • Contact and complaints-channel details. of minority shareholders’ rights. The risk that minority • Conflicts of interest policies, including the platform’s shareholders’ interests might be underestimated, over- remuneration policy. looked, or diluted can be exacerbated by separation between ownership and control over the company. • Educational materials for prospective investors. Compared to concentrated holdings held by founders, for example, highly dispersed crowdfunded holdings can In Dubai, the DFSA Rulebook specifies a detailed list result in high separation between crowd investors and of information to be available on platforms’ websites management decisions that affect their holdings. Large for prospective investors.671 Investors must receive numbers of small and inexperienced investors, without warnings about the main risks of using a crowdfunding collective influence or effective oversight, increase the platform, a description of how the platform functions, risk of agency risks, moral hazard and even fraud and what happens if the issuer defaults, general information misappropriation of investors’ funds.670 on default and failure rates, how the platform operator is remunerated, information about safeguarding client funds, and details about fees and charges. Similarly, b)  Regulatory approaches crowdfunding investors in the United Kingdom must Regulatory investor protection measures to address be provided general information about their platform, risks for consumers due to investor inexperience and a confirmation that the company has been authorized, the potentially riskier nature of investees in a crowd- contact details, the platform’s conflicts of interest policy, funding context include the following: and its policy on safeguarding client funds.672 Platform operators also have a general obligation to warn clients • Requiring risk warnings and disclosures about key about the risks associated with investing in financial aspects of crowdfunding. instruments.673 In the United States, platform operators • Imposing issuer caps—limitations on the size of an issue. (regulated as “funding portals”)674 must cause prospec- tive investors to demonstrate that they understand the • Imposing investor caps—limitations on individual risks of crowdfunded investing. investments/exposures. • Requiring investor appropriateness or suitability New EU regulation on crowdfunding requires that a assessments to be undertaken by platform operators. range of information, including marketing communi- • Establishing cooling-off periods for investors. cations from platforms operators to clients or poten- tial clients, is fair, clear, and not misleading and is Risk warnings and information about crowdfunding available to all clients and potential clients in a non- discriminatory manner on a clearly identified section To assist prospective investors to have a clear under- of the website of the crowdfunding platform.675 This standing of the nature, risks, and costs of crowdfunding includes information about the platform operator, the services, regulators typically require crowdfunding plat- costs and charges related to crowdfunding services or form operators to provide their clients with a range of investments, the crowdfunding conditions, including information. crowdfunding project-selection criteria, and the nature of and risks associated with their crowdfunding services. Regulators usually require platform operators to warn potential investors regarding the risky nature of crowd- Issuer caps: Limits on size of an issue of securities funding. The purpose of these warnings is to alert poten- tial investors to specific features of crowdfunding that By limiting the maximum size of an issue—in practical contribute to risk, such as emphasizing high failure rates terms, usually the maximum amount of money that can of start-ups and small businesses. Platform operators are be raised through a single crowdfunding issue or over frequently also required to provide the following: a certain time period without having to comply with standard capital markets requirements—regulators can • General information about a platform’s business model. effectively seek to lower the potential number of retail • Prominent confirmation of the regulatory status of the investors exposed to loss from a particular company/issue platform. of securities. 110   Consumer Risks in Fintech A range of jurisdictions have implemented such caps. Investor caps: Limits on how much an investor can The new EU regulation on crowdfunding highlights the invest perceived importance of such caps. It explains that, given the risks associated with crowdfunding investments and In order to limit exposure of inexperienced investors in the interest of the effective protection of investors, it to risky crowdfunding investments, some regulators was considered appropriate to impose a limit of €5 mil- are introducing limits on how much they can invest. lion in total consideration for crowdfunding offers made Amounts and approaches to applying such limits vary. by a particular project owner.676 In the United States, the Some regulators have decided to forgo investment caps crowdfunding regulations permit an issuer to raise a maxi- altogether and to focus instead on requiring platforms to mum aggregate amount of $1.07 million over a 12-month assess the appropriateness or suitability of investments for period. This limit is significantly lower than the amount of retail investors. $5 million that usually triggers the need to register secu- rities with the SEC.677 In Dubai, an issuer can offer securi- There are generally two main approaches to setting ties through a crowdfunding platform without the need to investment limits: imposing a fixed monetary amount issue a prospectus if the offer is made to and directed at or requiring the cap to be calculated by reference to investors who are already clients of the platform operator a prospective investor’s circumstances, such as their and the total size of offered securities is not more than $5 income or assets. These limits may be further qualified as million calculated over a period of 12 months.678 Similarly, being absolute or relating only to an investment in a sin- in Australia, eligible companies are able to offer ordinary gle company and may be calculated over a period of time shares to raise up to A$5 million in any 12-month peri- (for example, 12 months). Examples include the following: od.679 In Brazil the threshold is set at R$5 million,680 and in • A limit on the amount an investor can invest through Japan the threshold is ¥100 million.681 crowdfunding over a period of time expressed as a per- centage of annual income/net assets/investable assets. Malaysia takes a somewhat different approach. Instead of limiting a particular issue, an issuer is limited in how • A fixed amount an investor can invest through crowd- much it can raise from equity crowdfunding over its funding in a year, with an additional limit on exposure lifetime. An issuer may raise, collectively, a maximum per an individual company. amount of RM 10 million in its lifetime, excluding the • A cap set as an absolute amount for all investments issuer’s own capital contribution or any funding obtained made through a single platform in a year with no caps through a private placement exercise.682 per issuer. Deciding on appropriate amounts and other bases for • A cap set as a maximum amount for investment in a such caps can be difficult. If limits are set too low, they single company in a year. can act as an unjustified barrier to the development of crowdfunding in a market. Some regulators have thus In the United States, a limit is set in relation to the been considering adjustments to existing caps. The Brazil- lesser of either annual income or net worth. Individuals ian Securities and Exchange Commission issued a consul- with an annual income or net worth less than $107,000 tation document in March 2020 proposing an increase of can invest up to the greater of either $2,200 or 5 percent the existing threshold from R$5 million to R$10 million.683 of the lesser of annual income or net worth during any Similarly, in March 2020 the SEC proposed increasing 12-month period. If both annual income and net worth the issuer cap in the United States from $1.07 million to are equal to or more than $107,000, then, during any $5 million (while at the same time increasing the trigger 12-month period, an individual can invest up to 10 per- for the need to register securities with the SEC to $10 cent of annual income or net worth, whichever is lesser, million).684 This was proposed after public consultations but not to exceed $107,000. The SEC has published a revealed that, while few offerings were reaching the proposal to increase this cap by using instead the higher existing limit, many issuers were choosing not to utilize of either annual income or net worth to allow more flexi- the crowdfunding exemption because the limit was too bility to investors and to align the approach with another low.685 Similarly, after conducting public consultations the exemption. The amendments would also remove investor European Commission raised the originally proposed cap caps for accredited investors altogether.687 of €1 million to €5 million.686 However, at the same time the caps should not be set too high to allow for effective A similar approach is found in the United Kingdom. regulatory arbitrage by issuers. The UK rules on direct financial promotions688 allow plat- forms to communicate financial promotions directly only to retail investors that confirm that they will not invest Investment-Based Crowdfunding   111 more than 10 percent of their net investable assets in Investor-appropriateness assessments by platform investments sold via investment-based crowdfunding operators platforms unless receiving regulated financial advice.689 An FCP measure implemented in a range of consumer The FCA explained that the rules were introduced to contexts that can assist to target individual consumer ensure that clients are assessed as having the knowledge inexperience in a crowdfunding context is an obliga- or experience to understand the risks involved before tion on platform operators to conduct investor-assess- they can invest.690 ment testing before allowing retail investors to invest using their services. This typically involves having a pro- On the other hand, countries such as Malaysia have cess in place to assess if crowdfunding investments, or a set cap based in absolute amounts. The investment particular crowdfunding investment, is appropriate for a limit for retail investors has been set to a maximum of particular consumer’s circumstances. Common techniques RM 5,000 per issuer, and the total amount to be invested employed include running an entry knowledge test or is limited to RM 50,000 over 12 months.691 In Dubai, an simulations to gauge ability to bear losses. investment-based crowdfunding operator must maintain effective systems and controls to ensure that a retail client Regulators that impose entry knowledge tests typi- does not invest more than $50,000 in total in any calen- cally require platform operators to conduct remote dar year using its service.692 In Australia, the cap is set at equivalents of interviews with investors. These would A$10,000 per annum per company, but without maximum be based on a series of questions posed through the plat- investable amounts per year for an investor. In Japan, the form’s website. Collecting this information helps to estab- cap is ¥500,000.693 In Brazil, the limit is set at R$10,000 on lish whether the client understands the risks involved and all platforms. If a platform can satisfy itself that an investor whether the selected project is appropriate given their has an annual income exceeding R$100,000, the platform circumstances. When conducting such assessments, plat- can accept the increase of this amount up to the limit of form operators typically take into account matter such as 10 percent of the investor’s annual income.694 the following: The effectiveness of investment limits as an appropri- • The type of services, transactions, and investments ate risk mitigant is not universally accepted. Arguments with which the prospective investor is familiar. against such investment limits include that net worth of an • The nature, volume, and frequency of the investor’s individual may not be an effective indicator of their acu- investments and the period over which they have been men as an investor, that arbitrary limits may not result in carried out. commensurate protection for all retail investors, and that some of these limits are hard to control and enforce. • The investor’s level of education and profession or for- mer profession (for example, if the client has experi- Some regulators have recognized the difficulty of ence in financial services). policing investment limits and tried to balance inves- tor protection with cost impacts on platforms required Circumstances vary under which such assessments are to investigate clients’ income and existing exposures. applied. In France, among other prerequisites, investors This made some regulators (for example, in the United may invest only after the completion of the assessment.699 Kingdom, the United States, and Dubai) settle on allowing In the United Kingdom, when a retail client is not receiv- platforms to rely on investors’ representations regarding ing investment advice, a platform operator must comply income or assets unless the platform operator has a rea- with rules on appropriateness. These include checking son to question the reliability of such representations. On that the client has sufficient knowledge and experience the other hand, EU regulation requires platform operators to understand the risks of investing.700 In Japan, platform to ensure, if an unsophisticated investor invests an amount operators701 are required to suggest suitable financial that exceeds the higher of either €1 000 or 5 percent of instruments in light of clients’ financial knowledge, wealth, that investor’s net worth, that the investor receives a risk and risk tolerance. warning, provides explicit consent, and proves that they understand the investment risk.695 There are no such limits Some jurisdictions have mandated both investor tests on investments made through conseillers en investisse- and loss simulation for prospective investors. New ment participatif (crowdfunding advisors)696 in France697 EU regulation requires not only an entry knowledge or through crowdfunding platforms in Italy (established test for prospective investors702 but also that operators under the regulation on the collection of capital via online require prospective investors to simulate their ability to portals).698 bear loss.703 This would be calculated as 10 percent of their net worth. Interestingly, this threshold is similar to 112   Consumer Risks in Fintech the one used in the United States and United Kingdom The timing of cooling-off periods relative to closure of when establishing investment limits for retail investors. an issue, as well as their length, needs to be carefully Italian regulation requires platform operators to ensure balanced with the potential harm for issuers. Crowd- that nonprofessional investors may access sections of the funding campaigns are usually created with a specific platform where they can invest only if they have read the investment target, and subscribing investors are bound investor-education information provided, have provided only if the target is reached. Giving investors the abil- information about their knowledge and experience to ity to withdraw late in the offer process can cause the understand the essential features and risks involved with aggregate amount of investment commitments to fall investing, and have declared that they can financially sus- under such a target and effectively cancel the whole tain the possible loss of the entire investment they intend issue. Different regulators have taken different approach to make.704 in this regard. In the United States, investors are allowed to withdraw up to 48 hours prior to the deadline identi- Some regulators require platform operators to warn fied in the issuer’s offering materials.711 Once the offering investors if the result of the testing shows that partic- period is within 48 hours of ending, they are not able to ular investments might not be appropriate for them. cancel for any reason, even if they made their commit- However, they are not necessarily prevented from going ment during this period. However, if the company makes ahead with the investment. a material change to the offering terms or other informa- tion is disclosed, investors are given five business days Some regulators have not mandated testing. For exam- to reconfirm their investment commitment. According to ple, in the United States, a prohibition on funding portals705 new EU regulation, a platform operator must provide a providing investment advice and recommendations to four days’ cooling-off period (a precontractual reflection investors has effectively barred them from introducing such period), during which the prospective unsophisticated testing.706 However, funding portals are required to offer investor may, at any time, revoke the offer to invest with- educational materials to help investors understand this out giving a reason and without incurring a penalty. The type of investing, ensure that investors review such materi- four-day period starts the day the offer is made.712 On als, and ask investors to confirm that they understand that the other hand, in Dubai, retail investors may withdraw they can lose all of their investment and that they can bear during a 48-hour cooling-off period that starts at the end such a loss. In Dubai, the DFSA Rulebook also does not of the commitment period.713 This somewhat unusual mandate running tests, but the lack of assessment needs approach allows withdrawals after the offer closes. to be disclosed clearly to investors if they are using an auto-investment system provided by the platform.707 RISKS RELATED TO THE NATURE 6.3  Cooling-off periods OF SECURITIES OFFERED ON Cooling-off periods are intended as an additional PLATFORMS layer of protection for inexperienced investors that proceed with an investment that may be unsuitable. a)  Risks to consumers Cooling-off periods give investors the right to withdraw Consumers investing in crowdfunding face a poten- from an investment within a specified time window with- tially unexpected, or misunderstood, greater risk of out detriment. While many regulators seem to agree being unable to exit their investment—that is, to sell on the value of a cooling-off period, there seems to be securities on the secondary market at any point in no common approach on the time frame within which time. Unlike investing in securities listed on a regulated such a right should be allowed to be exercised. In Italy, market, where consumers may usually expect to be able the cooling-off period starts on the day an investor sub- to exit their investment by reselling their securities on scribes to the offer and lasts seven days.708 Also, in case an organized secondary market, crowdfunded securities of a material change (for example, if any new fact arises are rarely traded on any kind of organized market. Even that could influence the decision on the investment), the where organized secondary trading is in place, market investor has a further seven days to withdraw starting depth, and thus ease of trading, is often lacking. This from when notified of the change. In Australia, the cool- effectively means that investors need to understand and ing-off period lasts up to five days after subscribing to be willing to accept the risk of being locked into their the offer (making an application),709 while in Malaysia, it positions indefinitely (in case of equity) or until the full is six days.710 In addition, in both countries, if there is any repayment of the debt (in case of debt). material adverse change relating to the issuer, investors must be notified and given the option to withdraw within 14 days of the notification. Investment-Based Crowdfunding   113 Consumers may also lack experience and ability to the risk that it may be impossible to cash in an investment understand complexities associated with the nature of immediately.716 The key investment information sheet securities typically offered on crowdfunding platforms. contemplated under the new EU crowdfunding regulation Consumers may be offered hybrid securities incorporat- will have to state clearly that investors may not be able to ing rights and restrictions intended to cater to the issuer’s sell their investment instruments when they wish.717 Simi- needs. These may include hybrid securities that mix prop- larly, in Dubai, an operator must disclose prominently on erties of debt and equity, or securities that restrict voting its website that the investor may not be able to sell their rights. Sometimes crowdfunded securities are also issued investment when they wish.718 The Japan Securities Deal- with limitations on their transferability. This can be a con- ers Association’s code of conduct for equity crowdfunding tractual limitation or a legal requirement. For example, in obliges its members to make sure that clients understand the United States or Australia, shares may be traded only that the liquidity of shares will be quite low once the pri- after 12 months from the issue (with some exceptions—for mary market has closed.719 example, sale to accredited investors in the United States or sale with a prospectus in Australia). Similarly, in Malay- Some regulators have also changed the terminology sia, this limit is set at six months. used in crowdfunding regulation to convey a clear mes- sage about the illiquid nature of relevant securities. In The more complex and greater the mix of such issuer order to emphasize the illiquidity of securities on crowd- rights and investor restrictions, the more difficult it may funding platforms, the FCA decided to change the ter- be for retail investors to understand the risks involved minology previously used, replacing the phrase “unlisted with investing in those securities. share and unlisted debt security” with a newly defined term: “non-readily realizable security.”720 b)  Regulatory approaches Regulators also publish warnings on their own web- Regulatory investor protection measures to address sites. The SEC warns investors that they need to be such risks include the following: ready to hold their investment for an indefinite period of time, because, unlike investing in companies listed on • Prescribing disclosure requirements focused on a stock exchange, investors may have to locate an inter- emphasizing the illiquid nature of issued securities. ested buyer when seeking to resell their crowdfunded • Restricting the types of securities that can be issued. investments.721 The warning is especially apt since crowdfunding regulations ban the resale of crowdfunded • Targeted product interventions. securities during the first year.722 The SEC believes that • Targeted warnings. restricting the transfer of securities for one year allows investors time to observe the performance of the busi- As discussed below, regulators are also introducing ness and, potentially, to obtain more information about enabling measures that, while not strictly FCP measures, the potential success or failure of the business before facilitate information exchange and secondary trading. trading occurs. Disclosure of illiquidity risks Restricting the type of securities that can be issued To mitigate the risk that retail investors lack aware- Some regulators are responding to the risk of retail ness of the illiquidity of crowdfunding investments, investors not being capable to deal with the more regulators typically require platform operators to dis- complex nature of some securities by limiting the close this risk to investors. This includes clearly warn- types of securities that can be offered through crowd- ing potential investors of the possibility that they will funding platforms. In Australia, eligible companies can be unable to exit their investment at any given point of offer only fully paid ordinary shares for (equity) crowd- time. In a 2015 review of the UK regulatory regime for funding. Offers of other types of securities (for example, crowdfunding,714 the FCA found that comparisons were partly paid shares, preference shares, options, or deben- sometimes being made between crowdfunding invest- tures) are not currently permitted. However, the legisla- ments and retail bonds (such as corporate bonds listed tion allows ASIC to extend this to a broader range of on the stock market) without clarifying to crowdfunding securities in the future if it sees fit to do so.723 Similar investors that their money could effectively be locked in restrictions are found under new EU regulation, where until maturity. In a more recent consultation, the FCA reit- crowdfunding platforms are limited to offering invest- erated the importance of investors understanding there ment only in transferable securities724—that is, “vanilla” may be limited liquidity.715 In Italy, a platform operator bonds and shares.725 The transferability of a security was must disclose in a brief and easily comprehensible form considered an important safeguard for investors. Finan- 114   Consumer Risks in Fintech cial instruments other than transferable securities are pro- to individual retail investors who have been pre-cate- hibited from being offered; the European Commission gorized as either sophisticated or high net worth, and explained when the regulation was proposed that they where the product has been initially assessed as likely to were viewed as entailing risks for investors that could not be suitable for them. The FCA also mandated including be properly managed within the proposed framework.726 a specific risk warning, as well as disclosing any costs Similarly, in France, platforms may offer only plain vanilla or payments to third parties that are deducted from the bonds and ordinary shares.727 In Dubai, all platforms are money raised by an issuer, in any financial promotion for restricted from facilitating investments in products con- these products regardless of the type of investors. sidered to be higher risk. These include derivatives or structured products, while shares, certificates, deben- Targeted warnings tures, or sukuk are allowed.728 In the United States, the Regulators may also seek to address specific SEC recently proposed amendments that would intro- instances of risky securities by mandating targeted duce limitations on the types of securities eligible under warnings in addition to standard disclosures. The SEC crowdfunding regulations. The proposal aims to limit in the United States identified so-called “SAFE” (sim- crowdfunding to equity securities, debt securities, secu- ple agreements for future equity) securities as being of rities convertible or exchangeable for equity interests, particular concern.731 A SAFE security was a quasi-eq- and guarantees of any of these securities.729 uity security that differed significantly from traditional equity securities. It was an option, or an agreement Targeted product interventions between an investor and the issuing company, in which Regulators may address specific instances of risk the company generally promised to give the investor from complex offerings through product interven- a future equity stake in the company if certain trigger tion powers. In the United Kingdom, a pressing need events occurred. Historically, SAFEs were designed as for regulatory intervention was identified in the con- a way for venture capital investors to invest in start-ups text of so called “mini-bonds.” The FCA defines mini- quickly without burdening the start-up with the more bonds as debentures or preference shares that include labored negotiations that an equity offering may entail. one or more of the following features: They are typically According to the SEC, it was often more important issued by an authorized person who is not subject to for the venture capital investor to get the investment FCA oversight and therefore generally not covered by opportunity, and possible future opportunities, with the the Financial Services Compensation Scheme; they are start-up than it was to protect the relatively small invest- unlisted and commonly issued through a special pur- ment represented by the SAFE. In addition, the various pose vehicle; the investment offers a high fixed rate of mechanisms of the SAFE, from the triggering events to interest (8 percent or more) to investors if they commit the conversion terms, were designed to operate best to invest for a specific period of time (for example, three in the context of a fast-growing start-up likely to need or five years) with limited or no opportunity to sell or and attract additional capital from sophisticated venture transfer the investment before the end of that period; capital investors. Since this may not be the case in a the issuer uses the capital raised to fund speculative and crowdfunding context, the SEC considered it important high-risk activities; and they often involve high costs or to warn investors specifically about these securities.732 third-party payments that are made from the proceeds In March 2020, the SEC also proposed changes that of the bond issuance. To address risks of harm for retail would limit types of securities eligible to be offered investors from the promotion of these highly specula- under crowdfunding regulations, recognizing the need tive mini-bonds, the FCA introduced temporary product to simplify the type of securities offered to retail inves- intervention measures starting from January 1, 2020.730 tors through crowdfunding platforms.733 The FCA explained the intervention reflected concerns with the widespread marketing of mini-bonds in spite Facilitating information exchanges and secondary of their high-risk nature and difficulty for retail investors trading to understand. The FCA was concerned that investors Regulators around the world seem to be introducing may be attracted to the lucrative returns offered, but that enabling regulatory frameworks to incentivize the such promotions downplayed the key risks and implied development of crowdfunding secondary markets in that these products were “safer” than was the case in part as a response to concerns regarding illiquidity. practice. The FCA’s intervention comprised strengthen- Strictly speaking, such frameworks go beyond FCP mea- ing its financial promotions rules, on a temporary basis, sures, but it would be important that they are adminis- to restrict the marketing of speculative illiquid securities tered, where introduced, in ways that do not introduce for 12 months to ensure they can be promoted only additional risks. Investment-Based Crowdfunding   115 The European Commission noted an emerging trend other about the issuer’s offer.737 The facility must enable in the European Union of organized secondary mar- a person who accesses the offer document to post com- kets for securities or loans in crowdfunding projects, ments about the offer, see posts made by others, and although such services were not being provided sys- ask the issuer and the platform operator questions about tematically.734 In order to improve access to information the offer. In order to provide a trading facility, an Austra- about securities and support creation of secondary mar- lian platform operator must hold an Australian market kets, platform operators started introducing online bulle- license. Regulations in Dubai and Malaysia go a step tin boards to encourage information exchanges between further than those in the European Union, the United investors. Some platforms have gone even further to States, or Australia and allow platform operators to run facilitate secondary trades by offering a form of trading secondary markets in addition to providing forums for service or partnering with licensed third-party trading information exchange. While secondary trading of secu- facilities—for example, with licensed intermediaries under rities offered through crowdfunding platforms is cur- the Markets in Financial Instruments Directive (MiFID) rently prohibited in Brazil, the Brazilian Securities and in the European Union or broker dealers in the United Exchange Commission proposed revising the current States. Such practices are currently more prevalent in the regulation in March 2020, introducing the possibility of United States and United Kingdom, but regulators are a crowdfunding platform acting as a trading facility (an increasingly developing regulatory frameworks to incen- intermediary between investors).738 tivize such development (for example, in Dubai, Australia, Malaysia, and Brazil). While allowing platform operators to introduce orga- nized information exchanges and even to run trading Recognizing the need to facilitate the development facilities is definitely a step forward in developing of transparent information exchanges and, indirectly, liquidity, regulators also need to pay attention to the secondary markets, new EU crowdfunding regulation risks arising from potential market abuse. Platform oper- introduces the concept of a bulletin board that would ators should have appropriate mechanisms to prevent, allow investors to interact directly with each other detect, and respond to any potential market manipulation to buy and sell securities that were originally crowd- on their platforms. Eventually, for secondary markets to funded on these platforms.735 However, these bulletin function properly, more comprehensive regulation pro- boards will not be allowed to facilitate trading; this will portional to the risks of trading unlisted securities is likely still have to be done privately or using a MiFID-autho- to be necessary. These issues are discussed further below rized intermediary. Under existing regulations in Italy,736 in the context of regulation of bulletin boards and crowd- for example, platform operators are allowed to offer, in funding trading facilities. a separate section of the platform, an electronic board for the publication of the information about crowdfunded securities. This is possible only for securities issued in the CONSUMERS NOT PROVIDED WITH 6.4  scope of a crowdfunding campaign carried out on their ADEQUATE INFORMATION own platform, and the platforms are not to carry out activ- ities aimed at facilitating the trade. a)  Risks to consumers Crowdfunding issuers often tend to be small businesses A range of regulators outside of the European Union in their start-up phase with limited track records, lim- have also taken action in this context, and some go iting the availability of information. Small businesses even further by allowing platform operators to run typically do not disclose information as frequently or as secondary markets. US platform operators (either a extensively as public companies and, unlike public com- funding portal or a broker-dealer) are required to pro- panies, are generally not under obligation to have an vide communication channels that would allow informa- independent audit of their financial statements. This also tion exchange between investors and the issuer, and that means consumers investing through crowdfunding will need to be publicly available for viewing (that is, by those likely have significantly less information about the issuer’s who may not have opened accounts with the platform). If prospects than the issuer’s management or owners, espe- a platform operator is registered as a broker-dealer, then cially when compared to other types of public securities it can facilitate trade as well, but not if it is registered as offerings. a funding portal (a specific license created to facilitate development of crowdfunding). Similarly, in Australia, When information about an issuer is difficult to obtain a platform operator is required to provide a communi- or the quality of the information is uncertain, inves- cation facility for any offer on its platform to allow the tors are at risk of making poorly informed investment issuer and potential investors to communicate with each decisions. Unlike listed companies that are valued pub- 116   Consumer Risks in Fintech licly through market-driven prices, valuations of small • Key characteristics of the issuer. private companies can be much more difficult and inves- • A description of the issuer’s ownership and capital tors risk overpaying, particularly given the investment structure. risks taken on. Loss risks connected with poor informa- tion are amplified for retail investors, who may not have • Financial information about the issuer with or without the resources necessary to gather and analyze informa- an independent audit requirement. tion about issuers before investing or to monitor issuers • The main risks facing the issuer’s business. effectively after investing. • The purpose of the fundraising and the targeted offer The fact that the majority of crowdfunding investors total. are likely to have smaller, non-controlling stakes in issu- • Information about the issuer’s business plan. ers may mean that issuers—including their controlling • A description of the securities being issued and the stakeholders—do not consider the need to be trans- investor’s rights linked to them. parent. For example, they may use capital to fund riskier projects than originally disclosed without updating. • Arrangements in place for holding the shares and exer- cising investors’ rights after investment (for example, Retail investors in crowdfunding securities are also any nominee arrangements). at risk of misleading marketing practices, potentially exacerbated as a result of issuers being new to making Regulators impose requirements for issuers to pro- public offers. The resulting misconduct may include pro- vide information to investors, including by provid- motional activities that lack balance, where benefits are ing such information to the platform. In the United emphasized without equally highlighting potential risks; States, the issuer must disclose information about the selectively choosing information to create unrealistically company, its business plan, the offering, and its antic- optimistic impression of the investment; or watering down ipated use of proceeds, among other things. It needs important information by making comforting statements to specify the terms of the securities being offered and based on past records. each other class of security of the issuer, including the number of securities being offered and/or outstanding, b)  Regulatory approaches whether such securities have voting rights, any limita- tions on such voting rights, how the terms of the securi- Regulators seek to reduce information asymmetries ties being offered may be modified, and a summary of and address information and marketing-related abuses the differences between such securities and each other through a variety of disclosure, information integrity, class of security of the issuer, and how the rights of and marketing requirements. Regulatory measures the securities being offered may be materially limited, aimed at addressing such risks associated with crowd- diluted, or qualified by the rights of any other class of funding include the following: security of the issuer. Under crowdfunding regulations, • Investment-related disclosure requirements. issuers are also required to publish financial statements that at a minimum need to be certified by the com- • Regulation of bulletin boards and crowdfunding trad- pany or reviewed by an independent public accountant ing facilities. and, for offerings of a certain size, also audited.739 In • Fair marketing rules. Malaysia, an issuer needs to submit to the platform operator, to be appropriately passed on, general infor- (Requiring platform operators to conduct due diligence mation about the company, information explaining the on issuers, discussed in the next section, is also an import- purpose of the fundraising and the targeted offering ant measure for investors wanting to locate and verify amount, as well as the business plan. The issuer also information relating to issuers.) needs to publish financial information whose extent depends on the size of the funds raised in the previous Investment-related disclosure requirements 12 months.740 In order to decrease information asymmetry and assist investors to make sensible and informed decisions, reg- Requirements are also placed on platform operators ulators have prescribed a range of minimum disclosure to source and provide relevant information. In Italy, a standards. These standards require disclosure of general platform operator must make available to investors, in a information about issuers as well as information about detailed manner and without omissions, all information particular offers. Approaches differ, but issuers are typi- about the offer provided by the issuer so that investors cally required to disclose the following: can understand the nature of the investment, the kind Investment-Based Crowdfunding   117 of financial instrument offered, and the risks related to depending on the service provided or function under- them. The platform operator must ensure that the infor- taken by a platform operator. Typical regulatory require- mation provided via the portal is updated, accessible ments for crowdfunding platform operators in this context for at least 12 months after the closure of the offer, and include the following: made available to interested parties upon request.741 In • Limiting the posting of comments on bulletin boards the United Kingdom, the FCA requires platform opera- only to clients using the platform service. tors to provide appropriate information to investors on the nature and risks of an investment.742 The information • Ensuring that all clients using the bulletin board have disseminated to the client must give a fair and prominent equal access to information posted. indication when referencing the potential benefits of an • Requiring a person posting a comment to disclose investment. clearly if they are affiliated in any way with the issuer. Some regimes impose standardized format require- • Mandating that platform operators take reasonable ments to assist investor comprehension. In addition steps to monitor and prevent posts that are potentially to prescribing the information to be disclosed, platform misleading or fraudulent. operators in the European Union are required under • Ensuring that the secondary-market trading activi- the new crowdfunding regulation to present this infor- ties are conducted in a fair, orderly, and transparent mation in a standardized key investment information manner and that all procedures in place enable safe, sheet.743 This document has to take into account the transparent, and legal trade in securities (if acting as specific features and risks associated with early-stage an intermediary). companies and focus on material information about the issuers, the investors’ rights and fees, and the type of In a recent review of relevant crowdfunding practices, securities offered. As issuers are considered to be in the the FCA found that platforms were often allowing best position to provide that information, they will have investors to comment on investment opportunities, to draw up the information sheet. However, as platform but that market intelligence suggested negative com- operators will be responsible for informing prospec- ments on some platforms tended to be deleted, which tive investors, they will have to ensure that the sheet is could lead to relevant risks being overlooked by inves- complete. In order to keep down associated costs, the tors. The FCA therefore determined that platforms should key investment information document will not have to have mechanisms to detect, prevent, and respond to any be approved by a competent authority. In Australia, potential market manipulation. (The FCA also concluded ASIC prepared a template of the offer document as a that, eventually, for secondary markets to function prop- guide and is strongly encouraging issuers and platform erly, a more comprehensive regulation for the trading of operators to present and format the offer document in unlisted securities should be developed.746 For the time a way that enhances the readability and accessibility of being, crowdfunding platform operators cannot provide the document for retail investors.744 Public companies trading services in the United Kingdom. If one wants to and proprietary companies in Australia that have com- provide trading services, it would need to be licensed pleted a successful offer must comply with certain finan- under the existing regime.) cial reporting obligations, including independent audit requirements.745 In the United States, a platform operator (a funding Regulation of bulletin boards and crowdfunding portal or a broker-dealer) is actually required to pro- trading facilities vide communication channels on its platform747 that will allow investors with an account with the platform As briefly discussed earlier, a recent trend is for plat- operator and the representatives of the issuer to inter- forms to host information exchanges (bulletin boards) act and exchange comments. The operator must require about crowdfunded securities and even secondary mar- any person posting a comment to disclose clearly with kets for such securities. Regulators have recognized the each posting whether they are a founder or an employee potential for abuses that may occur through such bulletin of an issuer. boards and trading platforms if these are not already reg- ulated under existing capital markets rules (for example, Regulators are imposing a range of specific obliga- MiFID-regulated intermediaries in the European Union or tions on operators offering bulletin boards or, more broker dealers in the United States). Therefore, in parallel broadly, secondary trading, to safeguard the integ- to encouraging the development, regulators are develop- rity of the information that investors may receive ing standards aimed at reducing such information-related on such facilities and to make them aware of poten- and market-abuse risks. Regulatory requirements differ 118   Consumer Risks in Fintech tial shortcomings. In Dubai, if an operator provides a • Include a statement directing investors to check the rel- means of communication (a “forum”) for users to dis- evant offer document before subscribing to securities. cuss funding proposals made using the service, the • Include general risk warnings to balance promotional operator must refer investors to the forum as a place messages. where they can discuss proposals, while clearly stat- ing that the operator does not conduct due diligence • Ensure that advertisements do not mislead or deceive on information on the forum. The operator also needs by doing the following: to restrict posting of comments on the forum only to – Overstating or giving unbalanced emphasis to persons who are clients using the service; to ensure potential benefits. that all clients using the forum have equal access to – Creating unrealistic expectations. information posted on the forum; to require a person posting a comment on the forum to disclose clearly – Omitting or giving less prominence to informa- if they are affiliated in any way with the issuer; and to tion about the risks facing the issuer’s business or take reasonable steps to monitor and prevent posts adverse information about issuer. on the forum that are potentially misleading or fraud- – Presenting views about an offer as those of inves- ulent.748 In Malaysia, a platform operator can become tors or unrelated parties. an operator of the secondary market under a regime specifically developed for crowdfunding. In order to do Some regulators restrict advertising outside of plat- that, it needs to have arrangements addressing how the forms. In the United States, an issuer may not advertise secondary market will operate and to ensure that the the terms of an offering outside of their intermediary’s secondary market trading activities on its platform are platform except in a notice that directs investors to the conducted in a fair, orderly, and transparent manner. intermediary’s platform.751 An issuer may also communi- It also has to ensure that access to its secondary mar- cate with investors and potential investors about the terms ket is fair, transparent, and objective, and that all users of the offering through communication channels provided are treated fairly. This includes providing equal access on the intermediary’s platform. The issuer must identify to information; having policies and procedures for the itself, and persons acting on behalf of the issuer must trading, clearing, and settlement of securities on the identify their affiliation with the issuer, in all communica- platform; having sufficient financial, technological, and tions on the intermediary’s platform. In Dubai, a platform human resources to operate its secondary market; mon- operator must not advertise a specific offer that is avail- itoring and ensuring compliance of its rules, including able on its platform and has to take reasonable steps to conducting ongoing market surveillance; and having in ensure that issuers and sellers that use its platform do not place mechanisms to help ensure the resiliency, reliabil- advertise offers unless the advertisement is made on the ity, and integrity of the system, including the security platform and is accessible only to existing clients who use of critical systems.749 The Brazilian regulator recently the platform. If an offer is advertised to potential investors proposed allowing crowdfunding platforms to operate who are not clients of the platform, this may constitute secondary market under certain specific conditions.750 an offer of securities to the public, which would trigger According to the Brazilian proposal, platform oper- an obligation to prepare a prospectus.752 This does not ators, in addition to adopting necessary measures to prevent an operator from generally promoting its crowd- ensure trading integrity, will have to maintain a public funding service to potential clients, provided it does not history of trades, enabling investors to monitor prices advertise a specific proposal. and quantities traded. According to new EU regulation on crowdfunding, Fair marketing rules platform operators have to ensure that all marketing Advertising and marketing more generally play an communications to investors are clearly identifiable important role in crowdfunding. Regulators are trying as such.753 Marketing communications may indicate only to ensure that issuers, platform operators, and other where and in which language clients can obtain informa- promoters give clear, accurate, and balanced messages tion about individual projects or offers. when advertising crowdfunding offers. To achieve these aims, regulators place obligations, as relevant, on issuers, In the United Kingdom, entities that communicate or operators, and promoters to do the following: approve crowdfunding offers must comply with finan- cial promotion requirements, including ensuring that • Restrict and regulate advertising outside of platforms. such promotions are fair, clear, and not misleading. The • Indicate clearly that relevant communications are rule is applied in a way that is appropriate and proportion- advertising. ate taking into account the means of communication, the Investment-Based Crowdfunding   119 information that the communication is intended to con- In this capacity, they may exercise rights, such as voting vey, and the nature of the client, where a higher standard rights, on behalf of the investor. If the operator or related is expected for retail clients.754 parties have potentially conflicting interests (such as their own shareholdings) in the issuer, they may exercise such rights inconsistently with the investor’s interests. 6.5 PLATFORM OPERATOR MISCONDUCT OR FAILURE Platform failure The failure of a platform can leave investors without a)  Risks to consumers services essential to the continued integrity of their investment. The significance of this risk depends on what Platform misconduct kind of post-investment services a platform provides to Platform operators and related parties may engage an investor. These could include holding or receiving cli- in misconduct under a range of circumstances that ent money, undertaking payment services (for example, affect investors. These may range from outright fraud channeling payments from issuers to investors), acting as by platform operators, such as siphoning customer funds; a nominee representative for retail investors in relation to or offering fraudulent investments through the platform, the issuer, and providing a bulletin board or running a sec- to undertaking unfair conflicted behavior that favors the ondary market for crowdfunded securities. Losing access operator’s interests to the detriment of investors. Opera- to these services can cause operational and financial detri- tors that lack experience or competence can exacerbate ment to investors. If investors’ funds held by a failing plat- such risk, which can be more likely in a market involving form are not well protected, they might also be lost in an many new entrants. operator’s resulting insolvency. While the propensity to act fraudulently is directly Platforms may fail for a variety of reasons, including linked to the integrity of the platform operators and financial distress caused by mismanagement or inter- their employees, some business models can increase nal or external fraud and technology failures caused by the likelihood of conflict of interest and detrimental inadequate infrastructure or cyberattacks. Inadequate operator conduct toward investors. For example, con- capitalization and resourcing may contribute to failures flict can arise between platform operators’ obligations by causing inadequate systems and arrangements. Also, toward investors and potential financial benefits the oper- a platform in financial distress might be more susceptible ator derives from ensuring the success of crowdfunding to risky behavior, increasing the probability of financial offers. This conflict is heightened with models where an demise and potential detriment to investors. operator’s remuneration depends on the success of an offer. This can then have a negative impact on an opera- tor’s responsibilities, such as to: b)  Regulatory approaches • Facilitate investors’ ability to exercise their cooling-off Current and emerging regulatory frameworks for invest- rights and receive a refund, even though this may ment-based crowdfunding seek to address platform lead to the offer being unsuccessful (as it reduces the misconduct and failure risks through a combination of amounts raised), which can in turn have a negative approaches, including some or all of the following: impact on the operator’s income. • Authorization and vetting requirements. • Manage a bulletin board with integrity, knowing that • Requirements for business/service-continuity arrange- negative factual information or opinions may detract ments. from the success of the offer and consequently harm • Segregation of client funds. operator’s revenue. • Imposing rules and policies to mitigate conflicts of • Perform due diligence on issuers to a required stan- interest. dard, which may result in the need to decline to pub- lish certain offers and in turn harm operator’s ability to Other requirements might include minimum capital and generate revenue. adequacy of financial resources, organizational compe- • Review disclosure documents to the required standard, tence, dispute resolution, and outsourcing standards. with the same negative result for the platform operator. Authorization and vetting requirements A platform operator may also act as nominee for inves- Authorization and vetting requirements are intended tors in relation to the securities in which they invest. to act as a mitigant to a variety of risks that are caused 120   Consumer Risks in Fintech or increased if incompetent or dishonest operators are adequate knowledge as the main principles to be fol- allowed to operate in a market. Having authorization lowed. In the European Union, for example, the man- requirements in place enables regulators both to take agement of a platform must be of good reputation and action against unauthorized platform operators and to have adequate knowledge and experience.760 Similar use enforcement of authorization conditions as a means requirements apply in Italy,761 Dubai,762 Nigeria,763 and of ensuring good behavior by authorized entities. Malaysia.764 Different jurisdictions have taken different approaches Business continuity arrangements obligations to authorization requirements for crowdfunding plat- In order to ensure the ongoing administration of form operators. Some jurisdictions have brought oper- investments in the event of platform failure, platforms ators within existing licensing regimes (some with adjust- could be required to put arrangements in place to ments), while others have bespoke licensing frameworks. allow continuation of post-investment services even Jurisdictions where authorization requirements for crowd- in the event of business failure. Such business conti- funding sit within an existing licensing and regulatory nuity plans are typically expected to take into account framework, with some crowdfunding-specific adapta- the nature, scale, and complexity of the crowdfunding tions, include Australia, Dubai, and Nigeria. In Dubai, a services being provided and to establish measures and crowdfunding platform operator needs to be licensed as procedures that ensure, in the event of the failure of an authorized firm and to have a specific endorsement a platform operator, the continuity of critical services on its license if providing crowdfunding services to retail related to existing investments and the sound admin- investors.755 Under rules proposed in Nigeria, only entities istration of agreements between the platform operator registered with the regulator as one of several preexisting and its clients. Platform operators are usually required to categories (for example, Exchange, Dealer, Broker, Bro- do the following: ker-Dealer, or Alternative Trading Facility) may be regis- tered as a crowdfunding intermediary.756 In Australia, a • Provide regulators with a business overview. platform operator needs to acquire an Australian financial • Provide regulators with a specific analysis of the criti- services license, which authorizes a person who carries cal functions of the business. on a financial services business to provide a crowdfund- ing service.757 On the other hand, the European Union • Determine the trigger events that might cause a and United States have created a specific framework for wind-down of the business. crowdfunding platform operators. In the European Union, • Present an analysis of what functions are required and operators have to be licensed as crowdfunding service need to be undertaken for an orderly wind-down of providers under a new regime introduced by EU regula- the business. tion.758 In the United States, operators must be licensed as funding portals under the Regulation Crowdfunding.759 • Create a plan for communicating with investors and other business partners during the wind-down period. Regulators should also make sure that they have the necessary regulatory mandate, powers, and resources Platform operators can also be required to put in to monitor and prevent any unauthorized cross-bor- place third-party measures to support such contin- der promotion of crowdfunded securities. The envi- gency arrangements if risks eventuate—for example, ronment of evolving regulatory approaches and the by entering into an agreement with a third party to absence of internationally set standards open doors provide certain services. In Dubai, an operator must for regulatory arbitrage. Issuers in a jurisdiction with a maintain a business-cessation plan that sets out appro- weaker regulatory framework for crowdfunding may try priate contingency arrangements to ensure the orderly to promote issues of securities across borders. In order administration of investments in the event that it ceases to be able to uphold the standards of investor protec- to carry on its business, and the operator must review tion, including protection from fraud and other platform its business-cessation plan at least annually to take into misconduct, regulators need to make sure they have account any changes to its business model or to the risks the means to prevent active promotion of crowdfunding to which it is exposed.765 According to the new EU regu- securities by locally unauthorized operators. lation on crowdfunding, a platform seeking authorization must provide information to the regulator showing that When it comes to vetting standards to establish the platform has business continuity arrangements in the fitness of operators and their employees and place.766 In the United Kingdom, investment-based plat- management, a range of approaches are taken, but forms are subject to existing business continuity rules regulations generally focus on good reputation and applicable to investment firms generally.767 Investment-Based Crowdfunding   121 Segregation of clients’ funds While formulations of the obligations to act appropri- The protection of investors’ assets (securities and ately and in the interests of investors and, specifically, money) that are held at any point by a service pro- to mitigate conflicts of interest vary internationally, vider is a key consideration of an investor protection they tend to reflect common elements. In Italy, plat- framework. Investors’ assets need to be protected from form operators must operate with diligence, correctness, a platform operator’s insolvency and not be a part of the and transparency, preventing any conflicts of interest that platform operator’s assets. may arise in the management of platforms from harming the interests of investors and ensuring equal treatment Regulators have been approaching this issue in two of recipients of offers who are in identical conditions. ways in a crowdfunding context. The first is to prohibit The manager has to prepare, implement, and maintain crowdfunding platforms from dealing with investors’ an effective policy on conflicts of interest, formulated funds and to require that operators have arrangements in writing, that supports identification of circumstances with other regulated institutions that are allowed to that generate or could generate a conflict of interest provide such services (for example, deposit-taking detrimental to one or more investors and defines the institutions or payment-services providers). The second procedures to be followed and measures to be taken to approach is to allow crowdfunding platforms to deal with prevent or manage such conflicts.772 New EU crowdfund- client funds by either requesting them to be authorized ing regulation requires operators to act honestly, fairly, as payment-services providers or simply to apply similar and professionally in accordance with the best interests funds-protection standards without necessarily request- of investors.773 In Dubai, platform operators must take ing specific licenses. For example, in the United States, reasonable steps to ensure that conflicts and potential funding portals are prohibited from holding, possessing, conflicts of interest between themselves and their cli- or handling investor funds or securities.768 They there- ents, and between one client and another, are identified fore would usually engage a third-party broker-dealer to and then prevented or managed in such a way that the deal in client payments on their behalf. In Italy, platforms interests of a client are not harmed, and to ensure that are similarly required to work alongside a bank or regis- all its clients are treated fairly and not prejudiced by any tered investment company to support their operations. such conflict of interest. Where a platform operator is This includes the handling and retaining of investors’ aware of a conflict or potential conflict of interest, it must money (with funds flowing directly into the bank account prevent or manage that conflict of interest. If it is unable of the issuer from the account of the investor, rather to prevent or manage a conflict or potential conflict of than through the account of the platform).769 In Dubai, interest, it must decline to act for that client.774 an additional permission is required to hold or control investors’ money or securities.770 Under new EU regula- Many regulators take the view that prohibiting oper- tion, platform operators have to be licensed as a pay- ators from investing in offers they host on their plat- ment-service provider if they wish to hold client funds.771 forms is a good way of mitigating a key driver of potential conflicts of interest risk. For example, under Obligations to mitigate conflicts of interest new EU regulation, crowdfunding service providers are prevented from having any financial participation in the Regulators have prescribed a range of obligations for crowdfunding offers on their platforms. Such a prohi- platform operators to mitigate against conduct incon- bition also applies to their shareholders who hold 20 sistent with the interests of investors. Typical require- percent or more of share capital or voting rights, manag- ments include the following: ers, employees, or any person directly or indirectly con- • A duty to act honestly, fairly, and professionally in trolling crowdfunding platforms: they are not allowed to accordance with the best interests of investors. act as investors in relation to the crowdfunding services offered on that crowdfunding platform.775 It is envisaged • Requirements to have in place effective policies for that platform operators should operate as neutral inter- the mitigation of conflicts of interest. mediaries between clients on their crowdfunding plat- • Restrictions on investments hosted on platforms by form.776 In Dubai, officers and employees of a platform operators and their staff. operator (and their family members) are also restricted from investing/issuing via the platform or from having • Requirements for operators to disclose any financial financial interest in any issuer or investor.777 On the other interest in issuers. hand, there is a line of thought that holds that allow- • Requirements for disclosures of the manner in which ing the platform operators to invest shows skin in the operators are compensated. game and increases trust in crowdfunding. For example, • Bans on solicitations by platforms. in the United States, operators (but not their directors or 122   Consumer Risks in Fintech officers) may invest in issuers selling securities through perhaps even more so, fraudulent aspects of an other- their platform so long as they receive the financial inter- wise seemingly genuine offering. This is amplified by the est as compensation for their services and it consists of fact that, unlike with traditional public offers, the regu- the same class of securities with the same terms that the lator’s role in reviewing the offer-related information is public is receiving.778 This was allowed based on the view minimal or nonexistent. that platforms investments can raise the profile of crowd- funding campaigns and increase the appeal of crowd- b)  Regulatory approaches funding in general. However, any director, officer, or partner of the operator, or any person occupying a simi- A common approach taken by regulators is placing lar status or performing a similar function, may not have the onus on platform operators to conduct due dil- a financial interest in an issuer that is offering or selling igence on issuers and their offerings, although the securities through the operator’s platform, or receive a minimum required level of due diligence varies sig- financial interest in an issuer as compensation for the nificantly in different jurisdictions. This can range from services provided to or for the benefit of the issuer in platforms being requested simply to satisfy themselves connection with the offer or sale of such securities. In that a fraud is highly unlikely in a particular case to Malaysia, a platform operator is permitted to have share- expecting platform operators to examine the soundness holding in the issuers hosted on its platform, but that of issuers’ business plans. shareholding must not exceed 30 percent.779 In the United States, a funding portal needs to deny Requirements to disclose potential sources of conflicts access to an issuer if it has a reasonable basis for are frequently implemented as a regulatory approach, believing that the issuer or the offering presents the often in addition to other substantive measures. Juris- potential for fraud or otherwise raises concerns about dictions such as the United States require operators to investor protection, or that the issuer or any of its offi- disclose clearly the manner in which they are compen- cers, directors, or 20 percent beneficial owners were sated in connection with offers and sales of securities.780 subject to a disqualification. The funding portal must In Malaysia, a platform operator, including their directors also conduct a background and securities-enforcement and shareholders, must disclose to the public on their check on each of these persons. However, there is no platform if they hold any shares in any issuers hosted on obligation for a funding portal to fact-check the business the platform. The operator also needs to disclose if they plan of an issuer.782 pay any promoters or receive payment in whatever form, including payment in the form of shares, in connection The FCA does not prescribe due diligence require- with an issuer hosted on their platform.781 ments for platform operators but requires that plat- forms disclose to investors the level of due diligence Risk management requirements undertaken. However, platform operators are under a general duty to exercise skill, care, and diligence as well Investment-based crowdfunding operators have been as to act in customers’ best interests. The FCA recently made subject to a range of risk management obliga- expressed an opinion that platform operators’ resulting tions of the kinds described in chapter 5 as applicable due diligence obligations include assessing whether to P2PL platform operators. The expectations imposed they are legitimate. At a minimum, all platform opera- by such requirements would also target the need for tors should conduct obvious checks—such as ensuring operators to address risks related to platform failure. that the company exists and that the founders are who they say they are. In addition, the FCA stated that it would consider it unlikely that a platform operator could 6.6  ISSUER FRAUD argue that it has met its obligations of exercising skill, a)  Risks to consumers care, and diligence if it had not undertaken enough due diligence to satisfy itself on the essential information on Consumers investing on crowdfunding platforms may which any communication or promotion is based.783 In suffer losses due to issuer fraud in a range of scenar- Australia, platform operators have to check the identity ios. Issuers (which may be genuine or sham issuers) may and eligibility of the issuer, the fitness and properness attempt to defraud potential investors by showcasing of managers and employees, and the completeness and fraudulent business plans, by concealing facts about legibility of offer documents.784 The European Union’s their history or their management, or by using mis- new crowdfunding regulation requires platform opera- leading promotion techniques. It can be difficult for an tors to undertake a minimum level of due diligence in unsophisticated investor to detect a sham offering and, respect to project owners who propose their projects to Investment-Based Crowdfunding   123 be funded through the crowdfunding platform. At a min- are also required to check the business proposal; the imum, this includes checking that the project owner has issuer’s commitment, including that of the management no criminal record in respect to infringements of national (for example, how much capital they have provided and rules in fields of commercial law, insolvency law, financial any potential flight risk); and that its business is being services law, anti-money-laundering law, fraud law, or carried on in accordance with applicable laws in the professional liability obligations.785 jurisdiction where it is based (that the owner has the necessary permits and that the activity is lawful).786 The In Dubai and Malaysia, platform operators are sub- regulations in Malaysia are less detailed than in Dubai, ject to even more stringent and, at times, prescrip- but they place obligations on platform operators to tive due diligence requirements. In Dubai, an operator take reasonable steps to verify the business proposition must conduct due diligence on each issuer before of the issuer as well as to conduct background checks allowing it to use its service. This due diligence, among on the issuer, its management, and owners.787 Nigeria’s other things, must include, at a minimum, taking rea- draft regulation provides that a platform operator is to sonable steps to verify the issuer’s identity, financial carry out due diligence on prospective issuers, taking strength (which includes checking financial statements, reasonable steps to verify the business proposition of financial history, and past performance), credentials or the issuer, conduct background checks on the issuer to expertise it claims to have, valuation of its business, cur- ensure fit and properness, and satisfy applicable KYC rent borrowing or funding levels (if any), and source of and AML/CFT requirements.788 any existing borrowing or funding. Platform operators NOTES 659 “Global Volume by Model in 2018, USD,” figure 1.8 in CCAF, Global Alternative Finance Market Benchmarking Report, 39. 660 Title III of the JOBS Act added Securities Act s. 4(a)(6), which provides an exemption from registration for certain crowd- funding transactions. To qualify for the exemption under s. 4(a)(6), transactions must meet a number of statutory require- ments, including limits on the amount an issuer may raise, limits on the amount an individual may invest, and a requirement that the transactions be conducted through an intermediary that is registered as either a broker-dealer or a “funding portal.” 661 SEC. “Final Rule: Crowdfunding”, p.6 (USA), Supplementary Information (USA), 6. 662 Explanatory Memoranda, A Corporations Amendment (Crowd-sourced Funding for Proprietary Companies) Bill 2017 (Cth) (Australia). 663 Proposal for amending EU Directive 2014/65/EU on markets in financial instruments 2018. 664 World Bank and CCAF, Regulating Alternative Finance: Results from a Global Regulator Survey, 2019. 665 Brazilian Securities and Exchange Commission Instruction No. 588, of July 13, 2017 (ICVM 588/2017). 666 Guidelines on Recognized Markets SC-GL/6-2015(R3-2019) (Malaysia), Chapter 13. 667 Conduct of Business Module (COB) [VER36/04-20] (Dubai). 668 SEC Proposed Rules on Crowdfunding (Nigeria). 669 Corporations Act 2001 (Cth) (Australia), s. 738G(1)(b), s. 738H. 670 See SEC v. Ascenergy LLC et al. Case No. 15-1974 (D. Nev.). 671 DFSA Rulebook (Dubai), COB 11.3.1 to COB 11.3.2 COB/VER36/04-20. 672 FCA Conduct of Business Sourcebook—January 2018 (UK), 8A. 673 FCA Conduct of Business Sourcebook—July 2019 (UK), 4.5, 4.5A. 674 SEC’s Regulation Crowdfunding introduced a new category of registered intermediary, a funding portal, which may facili- tate transactions under the exemption subject to certain restrictions. The statute and the rules provide a safe harbor from broker-dealer registration under which funding portals can engage in certain activities conditioned on complying with the restrictions imposed by Regulation Crowdfunding. For example, a funding portal may not offer investment advice or make recommendations; solicit purchases, sales, or offers to buy securities offered or displayed on its platform; compensate promoters and others for solicitations or based on the sale of securities; or hold, possess, or handle investor funds or securities. 675 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 19. 676 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, preamble para 16. 677 Regulation Crowdfunding, General Rules and Regulations 17 CFR (USA), Rule 230.501. 678 DFSA Rulebook (Dubai), MKT 2.3.1, MKT/VER15/07-19. 679 Corporations Act 2001 (Cth) (Australia), s. 738G(1)(d), s. 738G(2). 680 Brazilian Securities and Exchange Commission Instruction No. 588 of July 13, 2017 (ICVM 588/2017). 124   Consumer Risks in Fintech 681 Morita, “Crowdfunding in Japan.” 682 Guidelines on Recognized Markets SC-GL/6-2015(R4-2020), 13.9. 683 Brazilian Securities and Exchange Commission Public Hearing Notice SDM No. 02/2020. 684 SEC, “SEC Proposes Rule Changes to Harmonize, Simplify and Improve the Exempt Offering Framework.” 685 SEC, Facilitating Capital Formation and Expanding Investment Opportunities by Improving Access to Capital in Private Markets, A Proposed Rule. 686 See Proposal for a EU Regulation on European Crowdfunding Service Providers (ECSP) for Business, 2018/0048 (COD), 5. 687 SEC, Facilitating Capital Formation and Expanding Investment Opportunities by Improving Access to Capital in Private Markets, A Proposed Rule. 688 FCA Conduct of Business Sourcebook—July 2019 (UK), 4.7. 689 Platforms in the United Kingdom are required to classify investors to determine whether direct financial promotions for unlisted securities can be communicated to them (for example, links to an investment website or to an investment subscrip- tion form). Only retail investors who are certified as sophisticated investors, who certify as high-net-worth investors, who confirm that they will receive regulated advice, or who confirm that they will not invest more than 10 percent of their net investable portfolio in unlisted securities may be targets of direct offers. 690 FCA, FCA’s Regulatory Approach to Crowdfunding over the Internet. 691 Guidelines on Recognized Markets, Rule 13.24. 692 DFSA Rulebook (Dubai), COB 11.5.3, COB/VER36/04-20. 693 FSA Japan, Financial Services Agency (Japan), Amendment of Financial Instruments and Exchange Act, and so on (Act No.44 of 2014) [Briefing Materials], May 2014. 694 Brazilian Securities and Exchange Commission Instruction No. 588. 695 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 21(7). 696 On conseillers en investissement participatif, only plain-vanilla bonds and ordinary shares are allowed. However, under the preexisting Investment Service Provider status (ISP) pursuant to MiFID regulation, a platform can offer complex products. 697 Order 2014-559 of 30 May 2014 (France). 698 Resolution no. 18592 of 26 June 2013 (Italy). 699 Order 2014-559 of 30 May 2014 (France). 700 FCA Conduct of Business Sourcebook—December 2019 (UK), 10.2. 701 Financial Instruments and Exchange Act, (FIEA 29-4-2IX) (FIEA 29-4-3III) (Japan). 702 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 21 (2). 703 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 21 (2). 704 Resolution No. 18592, June 26, 2013 (Italy). 705 The SEC’s Regulation Crowdfunding (USA) introduced a new category of registered intermediary, a funding portal, which may facilitate transactions under the exemption subject to certain restrictions. The statute and the rules provide a safe har- bor from broker-dealer registration under which funding portals can engage in certain activities conditioned on complying with the restrictions imposed by Regulation Crowdfunding. For example, a funding portal may not offer investment advice or make recommendations; solicit purchases, sales, or offers to buy securities offered or displayed on its platform; compen- sate promoters and others for solicitations or based on the sale of securities; or hold, possess, or handle investor funds or securities. 706 However, if crowdfunding is offered through broker-dealers, then suitability requirements apply. 707 DFSA Rulebook (Dubai), COB 11.3.13 COB/VER36/04-20. 708 Resolution no. 18592 of 26 June 2013 (Italy). 709 Corporations Amendment (Crowd-sourced Funding) Act 2017 (Australia), s. 738ZD and ASIC, Crowd-Sourced Funding: Guide for Companies (Regulatory Guide 261), June 2020, 261.83. 710 Guidelines on Recognized Markets SC-GL/6-2015(R3-2019) (Malaysia), Rule 13.08. 711 Regulation Crowdfunding, Crowdfunding General Rules and Regulations 17 CFR, (USA), Rule 227.402(a) (USA), Rule 227.402(a). 712 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 22. 713 DFSA Rulebook (Dubai), COB 11.5.2, COB/VER36/04-20. 714 FCA, “Review of the Regulatory Regime for Crowdfunding.” 715 FCA, Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms (CP18/20). 716 Resolution no. 18592 of 26 June 2013 (Italy), art. 15. 717 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 23(6)(c). 718 DFSA Rulebook (Dubai), COB 11.3.1, COB/VER36/04-20. 719 Morita, “Crowdfunding in Japan.” 720 FCA, FCA’s Regulatory Approach to Crowdfunding over the Internet. 721 SEC, “Updated Investor Bulletin: Crowdfunding for Investors.” 722 Regulation Crowdfunding, General Rules and Regulations 17 CFR, (USA), Rule 227.402(a) (USA), Rule 227.501. 723 Corporations Act 2001 (Cth) (Australia), ss. 738G(1)(a) and s. 738G(1)(c), Corporations Regulations 2001 (Cth) (Australia), r. 6D.3A.01. Investment-Based Crowdfunding   125 724 Directive 2014/65/EU on markets in financial instruments, 2014, art. 4(1) 44. 725 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 2(1)a (ii). 726 EC 2018/0048 Proposal for a Regulation on European Crowdfunding Service Providers (ECSP) for Business, Preamble, para 11, 14. 727 Platforms that have Investment Service Provider status (ISP) pursuant to MiFID can offer complex products. 728 DFSA Rulebook (Dubai), GEN 2.2.10 F, GEN/VER44/07-19. 729 SEC Facilitating Capital Formation and Expanding Investment Opportunities by Improving Access to Capital in Private Markets (Proposed Rule, March 31, 2020) (USA). 730 FCA, “Temporary Intervention.” 731 SEC, “Be Cautious of SAFEs.” 732 SEC, “Be Cautious of SAFEs.” 733 SEC, “SEC Proposes Rule Changes to Harmonize, Simplify and Improve the Exempt Offering Framework” 734 EC, Crowdfunding in the EU Capital Markets Union. 735 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 25. 736 Resolution no. 18592 of 26 June 2013 (Italy), art. 25. 737 Corporations Amendment (Crowd-sourced Funding) Act 2017 (Cth) (Australia), s. 738ZA. 738 Brazilian Securities and Exchange Commission Public Hearing Notice SDM No. 02/2020. 739 Regulation crowdfunding, General Rules and Regulations 17 CFR, (USA), Rule 227.402(a) (USA), Rule 227.201. 740 Guidelines on Recognized Markets, Rule 13.21–13.23 (Malaysia). 741 Resolution no. 18592 of 26 June 2013 (as amended). 742 FCA Conduct of Business Sourcebook—July 2019 (UK), 4.5, 4.5A. 743 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 23. 744 “Template CSF Offer Document,” appendix in ASIC, Crowd-Sourced Funding. 745 ASIC, Crowd-Sourced Funding: Guide for Companies (Regulatory Guide 261), June 2020, 261.279-261.283. 746 FCA, “Review of the Regulatory Regime for Crowdfunding.” 747 Regulation crowdfunding, General Rules and Regulations 17 CFR, (USA), Rule 227.402(a) (USA), Rule 227.303 (c). 748 DFSA Rulebook (Dubai), COB 11.3.15. 749 Guidelines on Recognized Markets SC-GL/6-2015(R3-2019), 13.27–13.30. 750 Brazilian Securities and Exchange Commission Public Hearing Notice SDM No. 02/2020. 751 Regulation crowdfunding, General Rules and Regulations 17 CFR, (USA), Rule 227.402(a), Rule 227.204. 752 DFSA Rulebook (Dubai), COB 3.2.4. 753 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 27(1). 754 FCA Conduct of Business Sourcebook—July 2019 (UK), 4.2. 755 Regulatory Law No. 1 of 2004, July 2012, art. 42(1), and DFSA Rulebook (Dubai), GEN 2.2.8. 756 SEC Nigeria Proposed Rules on Crowdfunding (Nigeria), art. 4 (e). 757 Corporations Act 2001 (Cth) (Australia), s. 738C. 758 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 12-13. 759 Regulation crowdfunding, General Rules and Regulations 17 CFR, (USA), Rule 227.402(a), Rule 227.400. 760 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 12. 761 Resolution no. 18592 of 26 June 2013 (as amended). 762 Regulatory Law No. 1 of 2004, art. 42, and DFSA Rulebook (Dubai), GEN 5.3.19, GEN/VER48/04-20. 763 SEC Nigeria Proposed Rules on Crowdfunding (Nigeria), art. 6 (a). 764 Guidelines on Recognized Markets SC-GL/6-2015(R3-2019), 4.01. 765 DFSA Rulebook (Dubai), COB 11.3.17, COB/VER36/04-20. 766 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 12 (2). 767 FCA Senior Management Arrangements, Systems and Controls Sourcebook—March (2016), 4.1.6. 768 Regulation crowdfunding, General Rules and Regulations 17 CFR, (USA), Rule 227.402(a), Rule 227.303 (e). 769 Resolution no. 18592 (as amended). 770 DFSA Rulebook (Dubai), COB 6.11–6.14. 771 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 10. 772 Resolution no. 18592 (as amended), art. 13. 773 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 8. 774 DFSA Rulebook (Dubai), COB 3.5.1. 775 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 8(1)-(2). 776 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 8 and pream- ble, para 26. 777 DFSA Rulebook (Dubai), COB 3.5.1. 778 SEC Regulation Crowdfunding, Rule 227.300. 126   Consumer Risks in Fintech 779 Guidelines on Recognized Markets SC-GL/6-2015(R3-2019), Rule 13.12. 780 Regulation crowdfunding, General Rules and Regulations 17 CFR, (USA), Rule 227.402(a), Rule 227.201. 781 Guidelines on Recognized Markets SC-GL/6-2015(R3-2019), Rule 13.11. 782 Regulation crowdfunding, General Rules and Regulations 17 CFR, (USA), Rule 227.402(a), Rule 227.301. 783 FCA, Consultation Paper 18/20, 4.21 and 4.22. 784 Corporations Act 2001 Pt 6D.3.A—Crowd Sourced Funding, 738Q (5). 785 EU Regulation 2020/1503 of 7 October 2020 on European crowdfunding service providers for business, art. 5. 786 DFSA Rulebook, COB 11.3.6, COB/VER36/04-20. 787 Guidelines on Recognized Markets SC-GL/6-2015(R3-2019), Rule 13.05. 788 SEC Nigeria Proposed Rules on Crowdfunding (Nigeria), Rule 10. E-MONEY 7 E-MONEY 7.1 INTRODUCTION • E-money and financial-inclusion levels are inter- twined. The World Bank Group’s Global Findex This chapter identifies consumer risks arising from elec- Database 2017: Measuring Financial Inclusion and tronic money (e-money), which in some cases are new the Fintech Agenda (WBG Global Findex 2017) manifestations of traditional financial consumer risks, reported that around 1.7 billion adults lack an together with their related regulatory approaches account at a financial institution or through a mobile implemented across a range of countries. E-money money provider; nearly all living live in developing is arguably the best established of the fintech products economies.790 discussed in this paper. The examples in this chapter are • The scale of mobile money adoption and usage drawn from countries that have either significant e-money is on the increase, along with digitization of pay- regulatory frameworks in place or payments frameworks ments. WBG Global Findex 2017 noted increases applicable to e-money. In most cases, these frameworks in the use of digital payments; the share of adults apply to both bank and non-bank issuers of e-money. making or receiving digital payments rose 12 per- cent.791 The GSM Association’s (GSMA) State of the For completeness, it is noted that the focus of this Industry Report on Mobile Money 2019 also noted chapter is on e-money as a payments product. Accord- two key trends in 2019 indicating that the industry ingly, consideration is not given to the increasing role of had reached a “digital threshold”: (1) For the first e-money as a gateway to other products, including sav- time, digital transactions represented the majority of ings, credit, and investment products (such as investments mobile money flows (57 percent), and (2) for the first in government bonds or wealth-management products). time, more value was circulating in the mobile money system than exiting.792 The significance of e-money in a consumer and a)  • Regulatory reforms suggest that e-money is “com- inclusion context ing of age” in the sense of being accepted by E-money is significant in the fintech landscape for a regulators as a critical part of national payments number of reasons. They include the following: system architecture. The GSMA’s State of the Indus- try Report on Mobile Money 2019 notes the evolution • Increases in the breadth and diversity of innovative in the regulatory landscape to treating mobile money fintech-enabled e-money issuers and related part- under licensing regimes for payments systems and nerships, products, use cases, and technologies refers to developments in jurisdictions such as Ghana, suggest a need to focus on related FCP issues. This Malawi, India, Pakistan, and Tunisia.793 is especially the case since many of the new provid- ers are fintech entities that may be unregulated under licensing rules or FCP rules.789 128 E-Money  129 • The increased availability and reduced cost of c)  Key definitions smartphones is likely to increase the availability of There are some common characteristics in the vari- e-money services, although more could be done ous definitions of e-money adopted by international for women. The GSMA’s State of the Industry Report organizations and in regulatory frameworks. 797 For on Mobile Money 2019 predicts that smartphone the purposes of this paper, e-money is considered to adoption in emerging markets will reach 79.4 per- be a store-of-value product with the following charac- cent by 2025.794 However, the Global Partnership for teristics: (i) it is a digital representation of a fiat currency Financial Inclusion’s Report on Advancing Women’s (legal tender); (ii) it is a claim against the provider; (iii) Digital Financial Inclusion stresses the need to facil- it can be redeemed at face value on demand; and (iv) itate women’s universal ownership of mobile phones, it is accepted as a means of payment by persons other along with supporting official identity systems.795 than the provider. This definition does not focus on how • Finally, and importantly, the impact of the COVID- e-money might be accessed, which could include, for 19 pandemic has increased the demand for digi- example, a mobile phone, a PC, a card, or a wearable tal payments (including e-money) in preference to device, such as a watch. cash. Many commentators have noted this phenom- enon, which is caused by a multitude of factors. They The most common form of e-money in a financial include the impact of lockdowns on both consum- inclusion context is probably “mobile money.” This ers and merchants; the dissemination of emergency is generally understood to be a service where e-money relief, social welfare payments, and other forms of (and other financial services) are accessed via a mobile support via digital platforms; reductions in fees for phone.798 The phone may be either a simple feature payment services; and a disincentive to use cash phone with limited internet connectivity or a smart because of the perceived risk of infection transmis- phone. Probably the most famous of e-money examples sion from paper money.796 is M-Pesa (Kenya), but there are many others. Relevance of FCP to address e-money b)  d)  Risks and approaches consumer risks The sections below discuss the more significant new Some potentially new consumer risks have arisen manifestations of consumer risks identified as relevant in connection with e-money, but there are also new to e-money and their related regulatory approaches. manifestations of existing consumer risks. The more Consideration has been given to risks identified by significant of these risks relate to the risk of dealing with national regulators, as well as guidance from interna- unregulated e-money issuers; unauthorized and mis- tional standard setters, development agencies, and other taken transactions; agent-related risks, such as agent international commentators. The regulatory frameworks fraud; the liquidity and solvency of the provider of the considered have been those focusing on e-money and/ e-money product (and potentially the bank holding safe- or mobile money and related payments systems, rather guarded funds); and operational unreliability. Traditional than, for example, general banking or consumer protec- risks of consumers not receiving adequate information tion laws. For the reasons already discussed in section 2.1 are also considered as they have particular implications above, risks relating to data protection (or other areas when it comes to e-money. such as AML/CFT or competition) are not discussed in this chapter. A wide variety of regulatory approaches applicable to e-money consumer risks are well recognized, but Summary of risks and regulatory approaches e)  country context is important. The more common reg- discussed in this chapter ulatory approaches are highlighted in the discussion. However, as discussed in section 3.2 above, the suit- Table 6 summarizes the new manifestations of con- ability of a particular approach for a consumer risk will sumer risks and corresponding regulatory approaches depend on country-specific factors, including the nature discussed in this chapter. and scope of the relevant risk, the existing regulatory framework and especially that applicable to e-money, payments, and FCP generally, and the capacity and resources of regulators and supervisors. 130   Consumer Risks in Fintech TABLE 6: Consumer Risks and Regulatory Approaches: E-Money RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE Gaps in regulatory perimeter: Current requirements • Allow e-money activities to be undertaken only by licensed entities 131 may not apply to all entities offering e-money (including non-banks) products, and even if the licensing rules are “activities • Ensure consumer protection rules also apply on an activities basis to based,” consumer protection rules may not apply to providers of e-money e-money as a product given innovative differences. • Ensure that e-money is covered by any relevant definition of financial product or service Fraud or other misconduct resulting in consumer loss • Impose licensing/registration and vetting and competence requirements 132 • Fraud or misconduct by issuers or related parties, on e-money issuers and related parties including agents • Impose rules specifically for agents, including requirements for agents • Fraud by third parties to be trained and monitored; agent due diligence, agency agreements; publication of details of authorized agents; and clear provider responsibility and liability for agent conduct • Require operators to have in place adequate risk management and governance arrangements • Mandate transaction-authentication standards • Limit consumers’ liability for an unauthorized transaction except—for example, in case of fraud or gross negligence by the consumer • Require warnings and information about security risks to be provided to consumers • Require consumers to advise providers of matters relevant to potential fraud, such as lost or stolen devices or security credentials • Place the burden of proof on providers to show transactions were unauthorized • Require reporting of large-scale fraud/security breaches • Prohibit agents from charging unauthorized fees (Also, see below for approaches to deal with platform/technology vulnerability risks that may facilitate fraud) • Conflicts between interests of providers or agents • Impose conflict mitigation obligations on providers to avoid conduct and consumers (such as perverse incentive to their advantage inconsistent with consumers’ interests, or equivalent arrangements for agents), leading to consumer conduct engaged in by agents harms E-money platform/technology vulnerability or • Mandate technology risk and cybersecurity management requirements 136 unreliability: Platform/technology unreliability or • Place obligations on operators to ensure appropriate/minimum levels of vulnerability that causes or facilitates loss, operational reliability inconvenience, or other harms • Require notice to users of anticipated/actual service interruptions • Make a payer’s institution liable for transactions not being completed as instructed Mistaken transactions: A consumer’s funds are • Require a mechanism that enables the consumer to verify transaction 137 misdirected to an incorrect account/recipient as a result details before transaction completion of error, rather than fraud • Require providers to explain how to stop transfers  • Require FSPs involved in a transaction to make reasonable efforts to recover funds involved • Place the burden of proof on providers to show a transaction was authenticated and recorded accurately Provider insolvency or illiquidity • Require an e-money issuer to isolate and ring-fence funds equal to 138 • A provider may become insolvent, with insufficient e-money balances outstanding funds to meet the demands of e-money holders • Limit activities that e-money issuers can carry out to minimize insolvency • A provider or their agents may not have enough risk liquid funds to meet consumer demand, such as for • Mandate initial and ongoing capital requirements cash-out transactions • Require issuers to maintain sufficient liquidity and to ensure that agents have sufficient liquidity to honor cash-out obligations E-Money  131 TABLE 6, continued RISKS TO CONSUMERS REGULATORY APPROACHES SEE PAGE E-money not covered by deposit-insurance schemes: • Deposit insurance may be extended to e-money balances or to 139 E-money balances may not have the benefit of deposit custodial accounts holding the e-money float depending on availability insurance that applies to traditional accounts, in the of scheme in the country. An alternative policy approach is to exclude event of insolvency of either the e-money issuer or a e-money balances from deposit insurance schemes. (The arguments for custodial institution holding an e-money float (such as and against each of these options are beyond the scope of this paper a bank holding a trust account) but are covered in other publications referenced later in this chapter) E-money not permitted to be redeemed for face • Require funds to be redeemed at face/par/equivalent value 140 value: Providers may seek to apply a discount beyond transaction-processing fees Consumers not provided with adequate information 140 • Key product information is not disclosed/available • Require compliance with general transparency and/or disclosure up front to consumers • Require public up-front disclosure of T&C and fees and charges through all applicable channels, as well as provision of written agreements at contracting stage • Require consumers to be given notice of changes • Require standard form agreement to be lodged with regulator • Inadequate ongoing information, such as about • Require written notice of changes to be provided to consumers ongoing transactions, changes to the product, or • Require transaction receipts to be issued product suspensions or withdrawals • Require periodic statements to be issued and/or that consumers are able to access details of previous transactions • Disclosed information cannot be easily retained by • Require information be in a form that the customer can access and keep a consumer for future reference • Disclosure format risks in a digital context • See approaches for equivalent risks summarized above in the context of digital disclosure for digital microcredit • Misleading marketing • Prohibit misleading marketing in relation to e-money account • Require disclosure of provider’s details in marketing materials, to assist with recourse • Impose specific rules—for example, making risk statements prominent Unsuitable e-money products: E-money products • Require providers to design and distribute e-money products to meet 144 may not be designed to be suitable for the consumer the needs and capabilities of users in their target market segments they are marketed to, particularly some • Impose individual suitability assessment requirements previously unserved or underserved consumers GAPS IN THE REGULATORY 7.2  ing example of these challenges existed with the M-Pesa PERIMETER product in Kenya when it was initially offered by an MNO. The result may be to create a risk of regulatory arbitrage a)  Risks to consumers in the sense that the preferred form of an e-money issuer may depend on whether it is required to be licensed or There is a risk that current financial services licensing registered or supervised by a financial services regulator. or registration requirements do not apply to fintech However, it is to be acknowledged that more and more entities offering e-money products.799 In some cases, this countries have started to regulate e-money issuers on an may be as a result of a policy decision not to regulate a activities basis, so that any entity issuing “e-money” (how- particular type of e-money product (such as a closed-loop ever it is defined) must be licensed or registered (depend- e-money system). However, the concern here is with an ing on the relevant regulatory framework). “institutions-based” approach to licensing, where relevant rules apply only to traditional forms of financial service Even if financial sector licensing rules are activities institutions (such as those offering banking services). Under based, it may be the case that FCP rules do not apply this approach, there may be gaps in relation to existing to innovative products such as e-money. This may be non-financial institutions, such as MNOs, that decide to because of a narrow definition of the products and services offer financial products such as e-money. The latter type of covered by the consumer protection rules. For example, entity may be regulated by a telecommunications author- the relevant definition could refer to traditional payments ity, but not by the financial services regulator (such as a products, such as debit and credit cards, but not cover central bank responsible for the payments system). A lead- e-money or other forms of innovative payments products. 132   Consumer Risks in Fintech There may also be overlaps in consumer protection activity” within its scope and also “implementation of any rules applicable to e-money. It is not uncommon to other Payment Systems to be specified in Bank Indonesia include consumer protection provisions in e-money reg- provisions.”808 Ghana’s Payment Systems and Services Act ulatory regimes (for example, in relation to safeguarding contains various consumer protection provisions appli- client funds, transparency, and consumer-recourse issues). cable to a “payment service” and defines that term as However, there may also be an overlapping general and/ meaning “the provision of service to facilitate transfer of or financial services–specific, consumer protection frame- funds from a payer to a payee using various forms of pay- work applicable to e-money products. Such overlaps have ments instruments or electronic money.”809 The Central the potential to create confusion among consumers as to Bank of Nigeria’s general-purpose Consumer Protection their rights, uncertainties as to the obligations of regulated Framework applies to all institutions regulated by the cen- entities, and also supervisory overlaps and inefficiencies. tral bank and refers in broad terms to their “products and services,” without defining the term. 810 b)  Regulatory approaches The key regulatory approach implemented by jurisdic- 7.3  FRAUD OR OTHER MISCONDUCT tions has been to allow e-money activities to be under- taken only by entities that are licensed or registered a)  Risks to consumers by a financial sector regulator. The BIS Basel Committee Fraud or misconduct by issuers or related parties on Banking Supervision has noted that a requirement for a non-financial firm issuing e-money to be registered or A key consumer concern is suffering losses caused by licensed “would facilitate supervision by the prudential internal fraud or some other form of misconduct by supervisor and the implementation of prompt corrective issuers or related parties. Potential perpetrators include action or sanctions.”800 This is the EU approach, where the e-money issuers’ staff and agents and a range of related EU Directive on Electronic Money Institutions801 in effect parties, such as business partners and service providers. requires member states to prohibit the issuing of e-money These risks are exacerbated in relation to e-money, given other than by authorized entities.802 There are also many its uptake. As the size and diversity of e-money networks examples of countries that have taken this approach. For continue to grow exponentially, new actors and busi- example, in Ghana, under the Payment Systems and Ser- ness models may not be regulated or experienced or vices Act, the only entities that can engage in “electronic resourced enough to control or respond to the risks, and money business” are (i) entities licensed and authorized consumers may not have the digital skills to be able to under the Banks and Specialised Deposit-Taking Institu- detect or prevent them. tions Act and (ii) non-banks licensed under the Act.803 The Malaysia Financial Services Act provides another example Fraud involving issuers, agents, or related parties may of this approach. Under it, no person can carry on a busi- arise under a variety of circumstances. For example, ness providing for the issuance of a “designated payment agents may undertake fraudulent transactions after obtain- instrument” unless it is approved by BNM.804 Malaysia’s ing a consumer’s PIN or charge unauthorized fees in over- Financial Services (Designated Payment Instruments) Order the-counter transactions in ATM withdrawal frauds.811 An prescribes “electronic money” as a “designated payment example of internal fraud involving e-money concerned instrument” for the purposes of these requirements.805 MTN Uganda, where six employees were charged with defrauding the company of U Sh 10 billion (approximately Countries taking an activities-based approach to $3.4 million at the time).812 Ponzi-type schemes have been licensing also tend to apply the same approach to FCP identified in countries such as Nigeria, India, and Ghana, requirements more generally. That is, the FCP regula- where e-money account holders have been attracted into tory framework applies to all types of FSPs, including spe- digital investment schemes that later collapse.813 Systemic cific types of providers, such as e-money issuers, that are fraud is a particular concern, and arguably the risks increase licensed under payments laws. Australia806 and Indone- the more interoperable the payments system becomes. sia807 are examples of countries where FCP requirements are applied on such a basis. Agents may also engage in misconduct deliberately or inadvertently.814 The reasons may include poor selection To deal with the risk that e-money may not be cov- methods for new agents, as well as a lack of training or ered as a product by FCP provisions, countries may ongoing monitoring of agents. This risk may be exacer- expressly provide for its inclusion or make provision for bated where agent networks are shared if training and new products to be included at a later date. For exam- monitoring responsibilities are diluted. This is an increas- ple, Bank Indonesia’s Regulation on Consumer Protection ingly important issue, given the rise in the use of e-money in Payments System expressly includes “electronic money products and the related increase in the use of agents. E-Money  133 The GSMA’s State of the Industry Report on Mobile b)  Regulatory approaches Money 2019 notes that the number of agent outlets has tripled in the last five years and that there are now around Licensing and vetting requirements 7 million agents globally.815 The risk of fraud may be reduced by requiring e-money issuers to be licensed or registered and strict vetting Staff or agents may also be influenced to act not in the standards for any applicant and key senior manage- best interests of e-money users because of perverse ment members. As noted above, many countries require incentive arrangements, such as sales-based commis- e-money issuers to be licensed or registered. The assess- sions. Such arrangements may encourage them to recom- ment of an application for licensing or registration should mend one provider over another because of the higher include (among other things) vetting the ability of the commissions involved, regardless of whether the product entity and its senior management to assess and mitigate is suitable for the consumer’s financial needs, objectives, the risk of internal or external fraud and to implement any or capacity. required risk management controls. For example, under the EU Directive on Electronic Money Institutions and the Third-party fraud related provisions of PSD2, an applicant for an e-money A fundamental consumer concern with e-money and institution license is required to provide evidence of the fintech products, and with transacting through digital suitability of persons with specified holdings of capital means more generally, is the risk of loss from third-party or voting rights, taking into account the need to ensure fraud. Further, perpetrators and data may be located inter- sound and prudent management of the institution.821 A nationally, creating risks of cross-border enforcement and key operational principle specified in Malaysia’s e-money evidence gathering.816 Consumers may suffer loss of funds rules is that there be a board of directors and manage- as well as other harms, such as loss of personal data and ment with caliber, credibility, and integrity who fulfill man- identity theft.817 These risks have been noted by various dated fit and proper requirements.822 international organizations. They were recently highlighted in the 2020 report Payment Aspects of Financial Inclusion Agent-related approaches in the Fintech Era from the WBG and the BIS Committee Regulatory frameworks applicable to e-money often on Payments and Market Infrastructures.818 The IMF also include several measures to address risk of agent fraud highlighted research suggesting that there will be an or misconduct. Approaches to agent regulation differ. increased risk of digital fraud if efforts to scale up digital Some rules are institution based (such as those apply- payments during the COVID-19 crisis are not matched by ing only to licensed banks), while others are overarching equally paced improvements in cybersecurity. activities-based rules (so they apply to both banks and non-banks using agents).823 Examples of applicable rules A recent example of large-scale e-money fraud oc- include the following: curred in Uganda, where hackers reportedly broke into • Requirements for agents to be trained and mon- the systems of Pegasus Technologies, which processes itored: For example, Malawi’s Payment Systems mobile money transactions for entities such as MTN (E-Money) Regulations require that an e-money pro- Uganda, Airtel Money, and Stanbic Bank. Billions of vider be responsible for the training and supervision Uganda shillings were allegedly stolen, and bank-to-mo- of agents. Focus is on the use of the e-money system, bile-wallet payment services were temporarily suspended customer support and education, monitoring of agent (although account balances were reported not to have liquidity, and handling of customer complaints.824 In been affected).819 contrast, Kenya’s National Payment Systems Regula- tions simply require that if a payment service provider Another example of third-party fraud is authorized wishes to enlist an agent, then, at least 14 days before push-payment scams, which may involve e-money the appointment, they must notify the Central Bank of accounts as well as other types of payments accounts. Kenya and provide the relevant training manual and These scams involve tricking victims into sending money related materials.825 Ethiopia’s Use of Agents Directive to a fraudster. They have been widely reported as a prob- includes broad requirements in relation to training, lem in the United Kingdom, leading to the development contains detailed rules as to how agents should be of a voluntary code by payment service providers (includ- monitored and supervised by the financial institution ing e-money institutions, among others). This is the Con- (which would include an e-money issuer), and also sets tingent Reimbursement Model Code for Authorised Push out the supervisory powers of the National Bank of Payment Scams 2019, which was welcomed by the UK Ethiopia in relation to agent networks.826 Payments System Regulator.820 134   Consumer Risks in Fintech • Requirements for agent due diligence: For example, and transparent governance arrangements to ensure the Kenya’s National Payment System Regulation requires continued integrity of their e-money scheme, including that a payment service provider exercise due diligence segregation of duties and internal control arrangements and carry out suitability assessments in identifying, to reduce the chances of mismanagement and fraud.834 In selecting, and contracting agents or cash merchants.827 addition to requiring compliance with technical standards Ethiopia’s Use of Agents Directive also requires that a issued from time to time by the Central Bank of Kenya, financial institution (including e-money issuers) “estab- Kenya’s National Payment System Regulations impose lish efficient, clear, well documented and comprehen- an obligation to comply with specified international stan- sive agent due diligence policies and procedures for dards and any risk management guidelines.835 initial and ongoing assessment of agents in a way that mitigates risks.”828 Importantly, technology-related and cyber risk man- agement requirements are also essential approaches • Content requirements for agency agreements: to address fraud risk that arises from vulnerabilities Ghana’s Payment Systems and Services Act provides affecting e-money platforms and systems. These are detailed requirements for the content of agency discussed in the next section in the context of platform agreements and also for the responsibility of principal and technology unreliability and vulnerability risks. and master agents.829 Ethiopia’s Use of Agents Direc- tive also requires extensive minimum provisions to be Transaction authentication and other fraud addressed in an agency agreement.830 prevention standards In addition, to reduce the risk of unauthorized third Regulators apply numerous approaches to dealing with parties fraudulently posing as agents, regulators fre- the risk of unauthorized transactions. They may include quently require the publication of lists/registers of any of the following: authorized agents and/or requirements for agents to • Mandate transaction-authentication standards so display evidence of authorization. This evidence could as to minimize the risk of fraud. For example, the be the unique agent number and photo and/or the reg- European Union’s PSD2 requires “strong customer istration number issued by the regulatory authority. For authentication” when a transaction is initiated.836 The example, the Payment Systems (E-Money) Regulations in definition of this term in effect contemplates two-fac- Malawi require that an e-money provider ensure that its tor authentication, requiring the use of two or more agents display their agent identification number. Afghani- independent elements categorized as knowledge stan’s Electronic Money Institution’s Regulation has a broad (something only the user knows, such as a PIN) and requirement that an “electronic money institution” ensure possession and inherence (something the user is).837 In that customers can verify that an enterprise is an autho- contrast, the People’s Bank of China’s Measures for the rized agent. Examples of measures that might be taken Administration of Online Payment Business of Non- include a public database of authorized agents, signage Bank Payment Institutions allow use of one or more of that cannot be copied, displaying a unique photo and three specified authentication standards; the specified number, and a general customer-awareness program.831 transaction limits depend on the standard(s) chosen.838 • A consumer’s liability for an unauthorized trans- There may also be requirements for agents to have a action may also be limited under certain circum- business permit or some other qualification. For exam- stances. There may be exceptions to such limitations, ple, Kenya’s National Payment System Regulation pro- such as in the case of consumer fraud or gross neg- vides that a person cannot be appointed as an agent or a ligence or unreasonable delays in reporting a lost or cash merchant unless the person has a registration, busi- stolen card or device, or under more specific circum- ness license, or permit covering their commercial activi- stances, such as disclosure of a PIN or leaving a card ties.832 Singapore also requires agents to be licensed. A at an ATM. For example, under the European Union’s licensee is prohibited from providing a payment service PSD2, the basic rule is that the payer can be made lia- thorough an agent unless the agent is licensed.833 ble only for up to €50 for an unauthorized transaction unless there is fraud or gross negligence.839 However, Risk management and governance the provider may not be liable if notice of an unautho- Jurisdictions have applied risk management and gov- rized transaction is not given in a specified period.840 ernance obligations to e-money issuers. This is in addi- Australia’s ePayments Code has quite complex pro- tion to the more specific risk management approaches visions on unauthorized transactions.841 They start by discussed above. Malaysia’s Guideline on Electronic setting out the circumstances under which the holder Money requires an issuer of e-money to establish effective of the account will have no liability for an unauthorized E-Money  135 transaction (such as fraud by the provider’s employees State of the Industry Report on Mobile Money 2019 states or agents), and then set out the circumstances under that the number of agent outlets is now around 7 million which the holder may be liable for all or part of the loss. agents globally.848 Against this background, regulators These losses include those that occur before the loss or have introduced various approaches to deal with this risk. theft of a device or passcode is reported and those that result from a breach of security requirements. The pro- Providers are usually required to accept responsibil- vider has the burden of proof in these cases, and, in any ity for their agents, including (in some cases) even if event, there is no liability for losses that exceed trans- actions are not authorized. These provisions are com- action limits. In other cases, there is an A$150 cap on mon but vary in approach.849 Kenya’s National Payment liability (with some exceptions, where it may be lower). System Regulations are narrower, as they impose liability Many other countries, such as India and Kenya,842 have only for the actions of agents that are “within the scope variations on these provisions that, generally speaking, of the agency agreement.” However, an agency agree- are also oriented in favor of consumers. ment cannot exclude a payment service provider from liability.850 Bank Indonesia’s Regulation on Consumer • Require consumers to be advised of the need to Protection in Payments System refers to “losses arising report lost or stolen mobile devices or any secu- from the mistakes of its management and employees” rity credentials (such as a PIN) and any suspected and so is also quite narrow in scope.851 In contrast, Gha- unauthorized use of the e-money account. The Euro- na’s Payment Systems and Services Act expressly makes pean Union’s PSD2 requires that users be advised of a principal liable for all acts of an agent “in respect of the their obligation to report such events “without undue agency business” even if the acts are not authorized by delay” and that users have “appropriate means” to the agency agreement.852 Ethiopia’s Use of Agents Direc- make such reports.843 Afghanistan also requires that tive has a similar approach.853 payment service providers educate customers on security features and capabilities and the importance Some regulators also prohibit agents from charging of protecting personal information.844 fees. This is designed to prevent such practices as agents • Some countries also place the burden of proof on charging fees over and above those that may be charged the provider if they want to show a consumer is lia- by the provider of the e-money product (for example, fees ble for all or part of an unauthorized transaction. for cash-in or cash-out transactions or fees for the opening The European Union’s PSD2 is explicit in this regard. of an account). For example, Malawi’s Payment Systems 845 Ghana’s Payment Systems and Services Act takes (E-Money) Regulations require an e-money service pro- a slightly different approach, requiring a provider to vider to ensure that its agents “do not charge any addi- “ensure” that a transaction against an account is tional fees or tariffs to customers above those specified by authorized by the account holder.846 the e-money service provider.”854 Ghana’s Payment Sys- tems and Services Act specifically prohibits agents from Liability and responsibility for staff and agents charging a fee beyond that charged by the principal.855 While providers to some extent may be liable for con- duct of persons acting on their behalf under general General conflicts mitigation obligations of the kinds laws (for example, of employment or agency), reg- already discussed in chapters 5 and 6 would also be ulators commonly consider it necessary to impose relevant approaches in this context. Some jurisdictions responsibility and liability for such matters, especially have implemented additional targeted approaches. For for agents. The concern of regulators and other com- example, Ghana’s Payment Systems and Services Act pro- mentators is that a provider may seek to disclaim liability hibits an agent from approving an application for credit, for the acts or omissions of their agents, including in rela- insurance, or an investment product.856 tion to such matters as fraud or incorrect advice (among others).847 Without regulatory intervention, this is likely to Warnings and information for consumers occur given the greater bargaining power of the provider. Some e-money regulatory frameworks require report- In such cases, affected consumers would need to resort ing to the regulator of large-scale fraud/security to seeking redress from the relevant agent, who may not breaches. For example, Ethiopia’s Licensing and Autho- be able to deal with the issue and is unlikely to have suf- rization of Payment Instrument Issuers Directive requires ficient resources to compensate consumers. This is a sig- the prompt reporting to the National Bank of Ethiopia of nificant issue, given the potential for agents to engage in any suspected or confirmed cases of fraud or major secu- fraudulent activities. The risks of fraud are increasing with rity breaches.857 The European Union’s PSD2 also requires the growth of e-money services and rapid increases in the that users be informed of any security incident that may size of agent networks. As mentioned above, the GSMA’s have an impact on their financial interests.858 136   Consumer Risks in Fintech It is also common to require consumers to be edu- key statistics reflecting these trends, including the mile- cated about security risks with the goal of preventing stone of 1 billion registered mobile money accounts.864 unauthorized transactions. For example, the require- Further, operational failures are a very real risk for con- ments may be to provide advice on security features, sumers. A well-known example is the 2017 M-Pesa system ways to reduce the risk of fraud, the need to keep PINs outage, which affected a number of its core processes, confidential, and the liability regime for unauthorized reportedly lasted around seven hours, and led to a one- transactions. Australia’s ePayments Code requires that day waiver of fees for sending money on the M-Pesa net- users be given guidelines on the security of their devices work.865 Many other outages have been reported since and passcodes in the T&C or in other publications. These then, including a major outage in December 2018.866 guidelines must be consistent with requirements in the code on security of passcodes and must also clearly dis- These risks may cause various types of consumer tinguish the circumstances under which there is liability issues. Apart from inconvenience caused by loss of time for unauthorized transactions.859 Similar requirements are and general frustration, there may be the additional risk of found, for example in the European Union’s PSD2860 and losses caused by fraud, losses of date integrity, or penal- applicable rules in Malaysia.861 ties applied if transactions cannot be completed on time (such as late payment fees and penalty interest). Consum- ers unable to make payments for essential services, such 7.4 E-MONEY PLATFORM/ as utilities, may suffer great inconvenience if these services TECHNOLOGY VULNERABILITY are not available to them because an e-money system is OR UNRELIABILITY unable to complete a payment transaction. Against this background, it is no surprise that the inability to transact a)  Risks to consumers due to network downtime or system unreliability was the most common risk identified in a 2016 CGAP report.867 If platforms and other technology systems for an Ultimately, it is likely that poor operational reliability will e-money product do not operate as expected, or are result in a lack of trust in the e-money system with likely vulnerable to threats, consumers can be at significant adverse effects on financial-inclusion levels. risk of suffering loss, inconvenience, or other harms. This risk was highlighted in the 2016 G20 High-Level Princi- ples for Digital Financial Inclusion, which stressed the need b)  Regulatory approaches for the digital financial services ecosystem (including retail In addition to more general risk management and gov- payments systems infrastructure) to be reliable and safe.862 ernance standards mentioned above, regulators have This point was also made recently by the WBG and the been imposing more targeted risk management and BIS Committee on Payments and Market Infrastructures in operational reliability requirements. These include the the report Payment Aspects of Financial Inclusion in the following: Fintech Era. The report included as a key action for con- sideration (in summary) the testing of payments infrastruc- • Mandating technology risk- and cybersecurity-man- ture on an ongoing basis and enhancement as necessary agement requirements: Ghana’s Payment Systems to keep up with emerging threats to holders of transaction and Services Act requires an appropriate and tested accounts as well as payment service providers and oper- technology system that is equipped with fraud moni- ators.863 Unreliability and vulnerability may arise due to a toring and detection tools and a third-party certificate variety of factors. For example, they may be because of as to compliance with standards specified by the Bank poor system design (for example, the system is slow in of Ghana and a cybersecurity policy, where applica- operating or is not designed to limit errors in payments ble. Payment service providers are also prohibited processing or does not expeditiously correct them), or from engaging in acts likely to result in systemic risk or they may be affected by external causes (such as a failure affecting the integrity, effectiveness, or security of the affecting a cell phone base station or the entire system or a payments system.868 In the European Union, security dropped connection affecting a single transaction). rules under PSD2 require that there be a security policy in place, including detailed risk-assessment and related Although unreliability and vulnerability risks have control and mitigation measures, to adequately pro- always existed in the context of e-money systems, the tect users against risks such as fraud. In contrast, Mala- scale of the risks and the potential for loss is rapidly wi’s Payment Systems (E-Money) Regulations simply increasing with the rise in e-money accounts and the require the delivery of “secure” e-money services.869 number and value of transactions. The GSMA’s State of These requirements are accompanied by system- the Industry Report on Mobile Money 2019 highlighted audit requirements.870 E-Money  137 • Mandating that e-money and related payments tection for the payment service provider, as they will systems ensure operational reliability: A general not be liable, in summary, under abnormal or unfore- requirement and/or specific requirements may cover seeable circumstances beyond their control and the issues such as transaction processing, system capac- consequences of which are unavoidable. 884 ity, business continuity, disaster recovery, incident • Making clear the user has no liability for system/ responses, and back-ups. For example, the European equipment/electronic network malfunction: Austra- Union’s PSD2871 requires that payment service provid- lia has such a provision in the ePayments Code. How- ers have appropriate mitigation measures and control ever, this is subject to the qualification that, if the user mechanisms to manage operational (and security) risks, should reasonably have been aware that a system and that they make reports to the regulator on these that is part of a shared network was malfunctioning, risks at least annually.872 Kenya’s National Payment then liability may be limited to correcting errors and System Regulations require measures to ensure “oper- refunding fees. 885 ational reliability of the service including contingency arrangements.”873 Malaysia’s Guideline on Electronic Money has more detailed requirements, including for 7.5  MISTAKEN TRANSACTIONS comprehensive and well-documented operational and technical procedures to ensure operational reliability, a)  Risks to consumers and a robust business continuity framework, including Mistakes in e-money transactions are a key consumer a reliable back-up system (ss. 8.2–8.5). Malawi’s Pay- protection concern, as they may result in an accoun- ment Systems (E-Money) Regulations provide other tholder’s funds being misdirected to the incorrect example of these type of specific requirements.874 The account, and it may be difficult to have the mistake Payment Systems and Services Act in Ghana has a spe- corrected, especially given the need for irrevocability cific requirement that an e-money issuer (or a payment of payments transactions. This risk has been highlighted service provider) ensure “high quality performance of in various international guidelines and standards.886 The at least 99.5% service availability and accessibility.”875 mistake may be caused by users (for example, because • Requiring notice to users of anticipated/actual ser- of a confusing user interface) and also by agents or other vice interruptions: Afghanistan,876 China,877 the Euro- persons who are assisting them. This is a human-error pean Union, 878 and Ghana provide examples of such issue, rather than fraud. It is especially likely to occur requirements. Ghana’s Payment Systems and Services with consumers who are new to financial services and Act requires that users of e-money be notified within not used to using their mobile phones to conduct finan- 24 hours of a service disruption or an anticipated dis- cial transactions. Of course, mistakes could have arisen ruption. This notice must be given by SMS or another with electronic payments transactions even before the means approved by the Bank of Ghana.879 Some coun- advent of e-money, but it is the scale of the risk in this tries also require reports to the regulator of major context that is of concern, given the abovementioned operational or security incidents. Ethiopia’s Licens- rapid growth in the use of e-money and the likely low ing and Authorization of Payment Instrument Issuers levels of digital capability in a financial-inclusion context. Directive requires that agreements with users provide for announcements about service interruptions and b)  Regulatory approaches also requires quarterly reports to the National Bank of Ethiopia about the number, duration, and reason Various regulatory approaches have been developed to for service interruptions and the measures taken to deal with this important issue. They include the following: resolve the issue.880 • Requiring a mechanism that enables the consumer to verify the details of a transaction after it has • Making the payer institution liable for transactions been initiated but before it is finalized: For example, not being completed as instructed: Afghanistan,881 Eswatini’s Mobile Money Service Providers Practice the European Union, and Ghana882 all have such Note requires that there must be a mechanism for the requirements. In the case of the European Union’s customer to verify the name and number of the pro- PSD2, the liability extends to an obligation to make posed recipient before the transaction is finalized.887 a refund to the payer “without undue delay.” How- Malawi has a similar requirement, but it applies only ever, there will be no liability if the payment service “where feasible.”888 provider can prove that the payee’s institution received the transaction amount. The payer’s payment service • Requiring that the provider explain how to stop provider is also obliged to try to trace an incorrectly transfers: Afghanistan’s Electronic Money Institution’s executed transaction.883 There is, however, some pro- Regulation requires that an e-money institution clearly 138   Consumer Risks in Fintech explain to its customers how to stop a transfer that was regard, as they would not be subject to the full range of initiated in error or without consent.889 liquidity and capital requirements. A related risk is that agents may not have enough liquidity, in the sense of • Requiring that the financial institutions concerned not having enough cash or “e-float,” to satisfy consumer assist in resolving any mistake: Where a user claims demands, even if the provider has sufficient liquid funds. that a transaction was not properly executed, the European Union’s PSD2 puts an onus on the provider to “prove that the payment transaction was authen- b)  Regulatory approaches ticated, accurately recorded entered in the accounts and not affected by a technical background or some Segregation of client funds other deficiency of the service.”890 The provider also The most common regulatory approach to covering has an obligation to make “reasonable efforts” to the risk of providers becoming insolvent is to require recover the funds involved.891 Australia’s ePayments an e-money issuer to isolate and ring-fence funds Code has detailed provisions relating to mistaken pay- equivalent to the amount of outstanding e-money ments that also put an onus on the provider to assist balances in a trust account or equivalent that is segre- the user in the case of a mistaken transaction.892 gated and unencumbered.897 The funds may be required to be held in separate accounts (usually in the nature of There do not yet seem to be examples of regulations trust accounts) held in one or more prudentially regulated that require the user interface for e-money to be banks, in government securities, or in other investments designed so that it is simple and easy to use, to assist that are considered to be similarly secure. For a discussion in minimizing the risk of mistakes. CGAP, for example, of issues related to a requirement for segregation of client proposes 21 principles for user interface/user experience funds, see the 2019 World Bank report Prudential Reg- design in the context of mobile money.893 The sugges- ulatory and Supervisory Practices for Fintech: Payments, tions for improvements to user interfaces discussed in Credit and Deposits.898 chapter 4 in relation to digital microcredit may also assist. Jurisdictions take various approaches to such seg- regation requirements.899 Malawi’s Payment Systems PROVIDER INSOLVENCY OR 7.6  (E-Money) Regulations require that an e-money service ILLIQUIDITY provider maintain a trust account at a bank that holds an amount equal to no less than 100 percent of outstanding a)  Risks to consumers balances, and that no more than 50 percent may be held A significant risk associated with e-money arrangements in any one bank. The funds in the trust account must be is that a provider may become insolvent and funds may unencumbered and must not be intermediated.900 In con- be insufficient to meet the demands of e-money hold- trast, the European Union’s PSD2 provides two options ers.894 The balance in an e-money account may not be for safeguarding funds: (1) to keep funds matching out- considered a “deposit” protected under banking regula- standing balances in a separate account in a prudentially tions. Examples of protective regulations for such depos- regulated credit institution or invested in secure, low-risk its include depositor priority rules in a winding-up.895 For assets as defined by a member state, or (2) to cover the example, the European Union’s Directive on Electronic outstanding funds with private insurance from an unre- Money Institutions makes it clear that the issue of e-money lated (e-money) issuer or credit institution that is payable is not a regulated deposit-taking activity, given that it is if the payments issuer is unable to meet its financial obli- considered to be a surrogate for banknotes and coins to be gations.901 Bank Indonesia’s E-Money Regulation requires, used as a means of payment, rather than saving.896 Deposit in summary, 30 percent of the e-money float to be held in insurance rules may also not apply to e-money accounts, a commercial bank and 70 percent to be held in govern- as discussed further below. The result of this lack of pro- ment or Bank Indonesia securities or financial instruments tection is likely to be that e-money holders will rank with or in an account at Bank Indonesia.902 other unsecured creditors and will be paid after any deposit holders, any secured creditors, and any other creditors with In some cases, the segregated account obligations some other form of statutory priority. apply only to non-bank issuers, and banks have lesser obligations (presumably because of the prudential reg- There is also the risk that an e-money provider or their ulations that apply to them). For example, under Tan- agents may not have enough liquid funds to meet con- zania’s Payments Systems (Electronic Money) Regulations, sumer demand on a day-to-day basis, especially for banks and other financial institutions that are e-money cash-out transactions. Non-bank e-money issuers that issuers have to open a “special account” to maintain funds are not prudentially regulated are of most concern in this deposited by non-bank customers issued with e-money, E-Money  139 whereas other e-money issuers must maintain these funds that e-money service providers ensure that their agents in a trust account maintained by a separate trust entity.903 maintain sufficient liquidity to honor cash-out obligations to their customers. 917 Regulatory frameworks may also require multiple banks to hold the trust account or equivalent balances. Some Initial and ongoing capital requirements countries require safeguarded funds to be held in more Capital requirements may also be imposed on e-money than one bank when the safeguarded funds reach a cer- issuers. These requirements may relate to both initial and tain threshold. This is to cover the risks that the bank may ongoing capital and may differentiate on the basis of fac- become insolvent even if the e-money issuer is solvent. tors such as whether the provider is a bank or non-bank For example, Kenya’s National Payment System Regula- financial institution, the nature of their activities, and the tions provide that if the relevant amount is over K Sh 100 size of the e-money business of the provider. Require- million, then the funds must be held in a minimum of two ments may also vary from time to time, as determined “strong rated banks” with a maximum of 25 percent in any by the regulator. Many countries and regions have such one bank. 904 Malawi’s Payment Systems (E-Money) Reg- requirements for e-money issuers. For example, Malaysia’s ulations state that only 50 percent of trust funds may be Guideline on Electronic Money is to the effect that issu- maintained with a single bank at any one time.905 ers of “large e-money schemes” are required to maintain unimpaired shareholders’ funds of RM 5 million or 8 per- Limit activities e-money issuers can carry out cent of the monthly average of their outstanding e-money This approach is designed to protect against the risk that liabilities over the last six months, whichever is higher. providers may dissipate their e-money assets through These rules apply only to issuers that are not licensed the need to support other businesses. Many countries under Malaysia’s Banking and Financial Institutions Act of and regions have such requirements, including the Euro- 1989, the Islamic Banking Act of 1983, or the Develop- pean Union,906 Ghana,907 Malawi,908 Malaysia,909 and Sin- ment Financial Institutions Act of 2002. A “large e-money gapore.910 For example, under Malawi’s Payment Systems scheme” means a scheme with a purse limit exceeding (E-Money) Regulations, an e-money issuer is prohibited RM 200 and outstanding e-money liabilities for six con- from carrying out any business other than e-money ser- secutive months of RM 1 million or more. 918 For further vices, or other than banking business if they are a bank.911 discussion of capital requirements applicable to e-money In some cases, additional activities may be carried out with issuers in a wide range of countries, see the 2019 WBG the approval of the regulator. Under the Indonesia E-Money report Prudential Regulatory and Supervisory Practices for Regulation, approval may be obtained for “cooperation” Fintech: Payments, Credit and Deposits.919 activities (for example, with other service providers).912 Recovery and resolution planning E-money businesses may also be required to be in a Finally, a regulatory approach that might be con- separate subsidiary or in a business unit that is sepa- sidered is including specific requirements for large rate from other businesses (especially for non-banks). e-money issuers, especially those that are dominant in A requirement for non-bank e-money issuers to establish their markets, on reorganization plans and plans to exit a separate legal entity has also been endorsed by the the market in an orderly manner, akin to recovery and Bank for International Settlements Basel Committee on resolution plans applicable for the banking sector. This Banking Supervision.913 The E-Money Circular of Bangko issue is raised for completeness, as it is beyond the scope Sentral ng Pilipinas’ (BSP), the Central Bank of the Phil- of this paper to consider it in detail. ippines, provides that non-bank providers may provide e-money services only through a separate entity incor- porated exclusively for that purpose.914 In contrast, Ken- ya’s National Payment System Regulations provide for a E-MONEY NOT COVERED BY 7.7  payment service provider to separate its payment services DEPOSIT INSURANCE SCHEMES in a separate business unit with a separate management a)  Risks to consumers structure and books of account.915 E-money balances may not have the benefit of deposit Require liquidity to be maintained insurance that applies to traditional accounts. One of In addition to the above safeguards, there may also be the objectives of such insurance is to protect consumers a specific requirement to maintain liquidity on an ongo- if the institution holding the relevant funds fails. As CGAP ing basis. For example, Malaysia’s Guideline on Electronic noted in a recent paper, there are two general approaches Money requires issuers to ensure that they have sufficient to deposit insurance in relation to e-money accounts: the liquidity for their daily operations.916 Malawi also requires direct approach, where e-money accounts are consid- 140   Consumer Risks in Fintech ered to be eligible accounts under the deposit insurance benefit of the individual e-money holders. The United scheme, and the pass-through approach, where cover States takes this approach. The Federal Deposit Insurance “passes though” an account (such as a trust account) Corporation has rules to the effect that the deposit insur- held at an institution covered by the deposit insurance ance scheme covering a pooled account held for the pur- scheme.920There is also the exclusion approach, whereby poses of a prepaid card program will pass through to the the products are expressly excluded from the deposit insur- individual card holders if the records of the deposit institu- ance scheme. Arguments for and against each of these tion acknowledge the agency or custodial relationship; if options are outside the scope of the current discussion there are records of the cardholders and the amounts due but have been recently canvassed by CGAP921 and coun- to them; and if the funds in question are clearly owned by try context will of course always be a key consideration. the prepaid cardholders.928 The existence of such insur- Regardless of the approach taken, consumers should know ance must be noted on the mandatory short-form disclo- whether their e-money balances are protected, and this sure document for such products.929 should be clear from the regulatory framework. For completeness, it is also noted that, besides deposit E-MONEY NOT REDEEMABLE 7.8  insurance, there are other controls designed to miti- FOR FACE VALUE gate the risks of insolvency of a custodial institution holding an e-money float (such as a bank holding a a)  Risks to consumers trust account). For a full discussion of relevant controls Consumers wanting to redeem their e-money balances (including as to insolvency of the provider as well as the may face the unexpected risk of providers withholding custodial institution) see the 2019 World Bank report Pru- a portion of those balances. This may be the case if pro- dential Regulatory and Supervisory Practices for Fintech: viders seek to apply a discount to the funds redeemed in Payments, Credit and Deposits922 and the 2020 report addition to or instead of market-based fees that apply for Payment Aspects of Financial Inclusion in the Fintech Era a redemption service. For completeness, this is different from the WBG and the BIS Committee on Payments and from the risk that a government may act to limit cash-out Market Infrastructures.923 services in the event of a cash crisis, as was the case in Zimbabwe in 2019.930 b)  Regulatory approaches Some jurisdictions have chosen to make clear in their b)  Regulatory approaches frameworks that e-money balances are in fact covered by deposit insurance. Ghana’s Payment Systems and Ser- The common regulatory approach for this risk is man- vices Act provides that an e-money holder is eligible for dating that providers allow e-money balances funds to protection under the Ghana Deposit Protection Act, pro- be redeemed at face value, sometimes also referred to vided their balance is within the prescribed threshold.924 as par or equivalent value. This requirement applies in a Afghanistan’s Electronic Money Institution’s Regulation wide range of jurisdictions, including Afghanistan,931 the requires the “mother” or “pooled account” to be insured European Union,932 Ghana,933 Kenya,934 Malawi,935 and the with the Afghan Deposit Insurance Corporation. If the Philippines.936 For example, Malawi’s Payment Systems corporation does not exist, then the e-money institution (E-Money) Regulations provide that e-money must be must ensure that e-money deposits are “fully insured by a issued and redeemed in Malawi kwacha as legal tender solvent, licensed insurer.”925 and redeemed for face or par value.937 In contrast, Singa- pore’s Payments Act appears to prohibit the exchange of Some jurisdictions have made the decision to clearly e-money for Singapore currency for users who are resi- exclude e-money balances from deposit insurance and dent in Singapore, other than on closure of the account.938 to require consumers to be warned about this being the case. Under the Philippines BSP E-Money Circular, e-money is not considered a deposit when issued by banks CONSUMERS NOT PROVIDED WITH 7.9  and is not insured by the Philippine Deposit Insurance Cor- ADEQUATE INFORMATION poration. Further, customers must be advised of this fact and must agree in writing.926 A similar position applies in a)  Key product information not disclosed upfront China under the Measures for the Administration of Online Risks to consumers Payment Services by Non-Bank Payment Institutions.927 As in the case of digital microcredit, discussed in chap- In some jurisdictions, deposit insurance may apply to ter 4, poor disclosure practices are a common concern a custodial account holding the e-money float, for the with respect to e-money.939 While transparency-related E-Money  141 risks are already a concern in connection with traditional ple, the European Union’s PSD2 requires the disclosure products, they are exacerbated in the digital environment of information about framework contracts for payment of e-money, given the technological interface through services; the requirements apply to contracts for e-money which information is provided (it is often provided on a services.946 Other examples are in the regulatory frame- small mobile phone screen); the fact that it may not be works in countries and regions as varied as Australia,947 possible to retain the information for future reference (for Ethiopia,948 Indonesia,949 Kenya,950 and Nigeria.951 example, where it is provided on a feature phone with limited internet connectivity); the speed with which the Require disclosure of fees and charges to consumer. This information may be presented to the consumer, which is also a common requirement. Eswatini,952 the European gives them little time to read or understand the informa- Union,953 Kenya,954 Malawi,955 Malaysia,956 and Nigeria957 tion; and that the consumers are likely to have low lev- all provide examples. In some cases, there is a require- els of financial or digital literacy. Another challenge may ment to disclose fees both up front and on a transaction be that consumers feel that they have little choice about basis. For example, the European Union’s PSD2 requires accepting a particular e-money product and hence do that all charges be disclosed to the consumer before the not see the point in reading all the T&C. This could occur, contract is entered into and before a transaction is initi- for example, where there is limited competition between ated. Separately, there are mandatory EU requirements e-money issuers and where consumers are offered a dig- for standardized disclosures of fee information on con- ital account as a means of receiving wages or cash trans- sumer payments accounts, including information about fers or other benefits (such as those provided as a result of the standardized terms and definitions to be used to the COVID-19 crisis). describe common fees and a mandatory fee information disclosure template. The United Kingdom is one exam- If the consumer is not provided with key e-money ple of a country that has introduced such requirements.958 product information, or the information provided is Kenya provides another example of transaction-specific not clear, they may not understand the product fea- fee disclosure requirements, as the Competition Author- tures and functions, will not understand how much it ity of Kenya’s 2016 rule requires that mobile FSPs present will cost or how to use it, and they will be unable to full transaction cost information at the time of the trans- compare offers easily. For example, research by CGAP in action and on the same screen. Research by CGAP has Kenya on consumers’ awareness of changes in transaction suggested that this requirement has resulted in increased fees for the popular M-Pesa product indicated a failure pricing awareness.959 to take advantage of favorable aspects of these changes even though they were widely publicized. This research Requiring the up-front availability of key information also indicated that consumers had limited knowledge of through applicable channels, including on websites, competitors’ fees; some mistakenly believed that Airtel through agents, and in any branches, is an import- Money was more expensive.940 The end result of such mis- ant measure to ensure accessibility. Kenya’s National understandings and nondisclosures generally may be that Payment System Regulations require information about consumers choose products that do not meet their needs charges (and other T&C) to be displayed “prominently and incur costs that could have been avoided. This may at all points of service.”960 Malaysia’s Guideline on Elec- lead to low usage levels of the product in question and tronic Money also requires that information about ultimately low levels of trust in at least e-money products fees and charges (and other T&C) be made available and perhaps more broadly. through “various channels,” which include the issuer’s website, brochures, and registration form (user’s and mer- Regulatory approaches chant’s copy).961 Providers have been required to comply with an over- arching principle of transparency and/or disclosure. For Requiring that a written agreement be provided to example, in Malawi, a specific rule states, “An e-money each consumer covering the terms of the service and service provider shall adopt market conduct and consumer any related fees can be a complementary approach, protection measures that comply with principles of… (b) and it may help consumers retain such information. For full disclosure of information.”941 Other examples of gen- example, Kenya requires that a payment system provider eral transparency obligations applicable to e-money are complete a customer service agreement with every cus- provided by the regulatory regimes in Ghana,942 Indone- tomer and that it contain specified information, including sia,943 Malaysia,944 and Nigeria.945 information about many of the issues detailed above.962 Other examples of such requirements are in China,963 Disclosing contractual T&C to the consumer is one of Ghana,964 Malaysia,965 and the Philippines.966 the most common regulatory requirements. For exam- 142   Consumer Risks in Fintech b)  Inadequate ongoing information Ghana’s Payment Systems and Services Act requires seven days’ notice of changes to fees and charges, and notice Consumers also face risks if they are not provided with must be made by SMS or any other method approved ongoing information about their use of an e-money by the Bank of Ghana.970 None of the regulatory regimes account. This may mean they cannot keep track of trans- reviewed appear to negate the effect of the change if the actions and account balances for financial management required notice is not given, although breaches may be the and budgeting purposes, and it may also make it difficult subject of complaints and/or penalties. to identify fraudulent activity or mistaken transactions. Given the potential lack of physical touchpoints with pro- Some jurisdictions have also specifically required pro- viders (such as branch visits that may be usual when oper- viders to give advance notice of withdrawal or suspen- ating a traditional account), the importance of providing sion. The European Union adopts this approach, as PSD2 such information to consumers can be even more signifi- requires giving a minimum of two months’ notice of the cant in this context. termination of a framework notice, and only if the right to do so is agreed in the contract.971 Risk of insufficient notice of changes Without sufficient notice of changes to their e-money Risk of inadequate transaction receipts/ account, consumers may not to be able to deal confirmations with such changes adequately—such as by closing Receipts for an e-money transaction may not be pro- or switching products. Any adverse impact of such a vided or may be incomplete. This will be a concern for any change may therefore be increased. For example, a con- consumer who wants to keep track of the full details of their sumer may be unaware that a provider may unilaterally transactions and the associated fees (for example, so as to withdraw or suspend a product, and that, if this were to manage records of a small business or a household budget occur without notice, it could cause considerable incon- record). Receipts are also an important means of checking venience for the consumer and possibly expose them for fraudulent and mistaken transactions. All these issues to late payment fees and other penalties if the facility is are especially important for e-money transactions that are unavailable when needed. An example of the consider- conducted electronically without a paper trail in situations able impact of even a temporary suspension of e-money where there is not necessarily easy access to the provider accounts was provided when the Uganda Communica- of the service. The Better Than Cash Alliance provides as tions Commission ordered mobile money operators to an example of enhancing product transparency the client disable their platforms during an election. The effects receiving proof of each transaction and also having access included an inability to pay school fees and for utilities to clear and simple transaction and account records.972 such as electricity and water, and, perhaps more sig- nificantly, a loss of trust in the mobile money system, indicated by the emptying of mobile wallets when the Regulatory approaches platform became operational again.967 The most obvious regulatory approach is obliging pro- viders to issue transaction receipts. For example, Kenya’s Regulatory approaches National Payment System Regulations require the payment Regulators now frequently require consumers to be service provider “without undue delay” to provide the given notice of changes to T&C and fees and charges. payer with a unique transaction reference and detail of the Many countries and regions have such requirements, but amount, payee and their account, and the debit. The payee there are variations in the time period for giving of notice, is also required to be given advice about the crediting of the nature of changes that must be notified, and how the the relevant amount.973 The European Union’s PSD2 also notice may be provided. For example, in the Australian has detailed requirements for transaction information to be ePayments Code, at least 20 days’ advance notice must be provided to both the payer and the payee in an individual given of changes to fees for transactions, issuing a device payment transaction. A payer may also request informa- or passcode, any increase in liability for transaction losses, tion about the maximum execution time and any charges and also changes to daily or periodic transaction limits. before a specific transaction is completed. 974 There are also tailored requirements for low-value facili- ties (those that can have a balance of no more than A$500 Another option is requiring that transaction information at any time). Otherwise, notice must be given before the be available to the user, without necessarily mandating change takes effect. These notices may be given electroni- the provision of receipts. For example, Bank Indonesia’s cally.968 In the European Union, under PSD2, there must be Regulation on Consumer Protection in Payments System, a two months’ notice of changes to a wide variety of mat- in general terms, requires a provider to provide facilities ters, including to charges (fees) and provisions concerning “to allow Consumers to obtain information.” China’s Mea- mistaken and unauthorized transactions.969 In contrast, sures for the Administration of Online Payment Business E-Money  143 of Non-Bank Payment Institutions also include an obliga- an e-money account, but the information may not be tion to provide a free enquiry service about transactions provided in a form that can be retained for future ref- for a year.975 Malawi’s Payment Systems (E-Money) Regula- erence.982 Retention of this information is important as a tions also require extensive transaction information to be reference for consumer understanding of their rights and maintained and to be available to the user.976 obligations, and as evidence in the case of a complaint or dispute. This risk is compounded when information is pro- Risk of inadequate periodic statements/updates vided via USSD on feature phones with small screens or is Consumers may be unable to keep track of their available only on a website that may not retain the version e-money transactions and accounts if they are not pro- of the information originally given to the consumer. vided with periodic statements of account or equivalent information.977 It may be the case that these statements Regulatory approaches are not provided or only “mini-statements” are made avail- The most direct approach is to require, in effect, that able for e-money accounts. In either case, consumers will the information be in a form that the customer can run the risk of not seeing mistaken/unauthorized transac- access and keep for future reference. For example, the tions or misunderstanding account balances and debits European Union’s PSD2 requires that information be pro- and credits. Further, the lack of complete periodic state- vided on paper or in a “durable medium,” which in turn ments may be a problem if the consumer has only a lim- is defined as (in summary) an instrument that allows the ited time in which to notify the provider of concerns about user to store information in a way that makes it accessible the transaction. However, there are likely to be challenges for future reference.983 Malaysia’s Guideline on Electronic in providing periodic statements where e-money services Money also requires that T&C be “easily accessible” (as are provided through USSD devices and consumers do not well as understood).984 have formal postal addresses. As with other risks, these risks are likely to be exacerbated in the fintech era as the d)  Disclosure format risks in a digital context use of e-money grows. Chapter 4 discussed, in the context of digital microcre- Regulatory approaches dit, other factors in a digital context that can harm the The strongest regulatory approach is to impose a provision of information or that may require adapta- requirement to provide periodic statements, while tion from a paper environment to ensure its effective- a potentially less effective approach is making them ness. Equivalent issues are relevant to the presentation available on request. The Australian ePayments Code and delivery of information in connection with e-money. reflects the former approach by requiring periodic state- ments every six months. However, these requirements e)  Misleading marketing do not apply to low-value facilities (with balances of no more than A$500). For such facilities, providers must Risks to consumers give users a process to check the balance of the account As is the case in relation to digital microcredit, discussed as well as either a receipt or a mechanism to check trans- in chapter 4, misleading marketing practices have been action history.978 detected in connection with e-money that could have significant impact, particularly on vulnerable users of Some jurisdictions require enabling the consumer to such products. Providers may fail to disclose or may be access details of their transactions or to be given infor- misleading about key product features, transaction fees, mation about how to do so. For example, in Ethiopia at minimum balances, or monetary limitations on usage.985 least the last 10 transactions must be online.979 Eswatini The FCA, for example, expressed concerns about mis- makes provision for statements on previous transactions leading advertisements by e-money issuers and other to be provided on request (without any limit on the num- payment service providers that allege that their services ber).980 Afghanistan requires that customers be advised as are “free,” even though fees are charged by intermedi- to how they can learn their current e-money balance and ary service providers, and about providers that advertise obtain a list of recent transactions.981 themselves as offering “bank” accounts or imply that they are a bank.986 Another FCA concern was that customers c)  Inability to retain information were being misled by comparative cost claims; the FCA has noted that, as a result, customers may miss out on Risks to consumers services that are better suited to their needs “with better A consumer may be provided with all/some of the infor- quality, prices or overall value.”987 mation they need to make informed decisions about 144   Consumer Risks in Fintech These risks are likely to be exacerbated in a digital they are marketed to can be heightened in markets financial inclusion context. In that environment, con- where new providers are involved and products are sumers are more likely to have low levels of financial or increasingly used by, and aggressively marketed to, technological capability. They are thus likely to be espe- previously unserved or underserved consumers. Suit- cially vulnerable if they are presented with a misleading ability issues can include the degree of acceptance of offer of digital e-money services, especially in an environ- e-money by merchants, utility providers, government ment where there is no opportunity to ask questions, seek agencies, and other consumers; the availability of pay- advice, or make comparisons. ment points (for example, agents, branches, third parties, and ATMs); transaction fees and limits; the extent to which Regulatory approaches the product is interoperable; and, importantly, whether Some jurisdictions prohibit misleading marketing spe- the product meets the needs of specific target groups cifically in relation to e-money accounts. The Payment (such as women, youth, farmers, or savings groups). Fur- Systems and Services Act in Ghana requires that market- ther, the COVID-19 pandemic may be compounding ing by e-money issuers and payment service providers these risks, as cash transfers, remittances, and other forms “follows the general principles of honesty and transpar- of income support (as well as emergency credit) are being ency”).988 There are prohibitions against misleading and made available through digital payments accounts such deceptive conduct also in Kenya’s National Payment Sys- as e-money. In such cases, consumers may feel that they tem Regulations and Malaysia’s Financial Services Act.989 have no choice but to accept the product, even if it is not However, such provisions are not commonly included in entirely suitable for their needs. e-money regulatory frameworks, perhaps because gen- eral requirements are in place.990 Calls have been increasing for some time for digital financial services products (including payments prod- There may also be requirements to disclose the pro- ucts such as e-money) to be proactively designed to vider’s details in advertising or sales materials as well meet consumer needs. For example, the 2016 G20 as in T&C, to assist consumers with recourse if they High-Level Principles for Digital Financial Inclusion are harmed by these materials. For example, Ghana’s also describe consumer-centric approaches to product Payment Systems and Services Act requires the inclusion design that focus on customer needs, preferences, and of the provider’s address, telephone number, and e-mail behaviors as examples of action to promote digital finan- address in all marketing material. The FCA’s Payments and cial inclusion.992 E-Money Standards also require that all communications sent to an e-money customer include the name of the pro- b)  Regulatory approaches vider. This approach minimizes the risk that a consumer might be unaware of who the provider is, especially where Product design and distribution requirements e-money products are marketed under a brand name As discussed in previous chapters, there is an emerging (for example, “M-Pesa”) or that of a third party under a regulatory trend of requiring FSPs to design and dis- white-labelling arrangement. tribute products to meet the needs and capabilities of users in their target market. Common elements of such Other specific requirements may relate to communi- regimes are discussed in chapter 3. Some jurisdictions cations sent to e-money customers. For example, the have applied, or are in the process of extending, such FCA’s Payments and E-Money Standards require that requirements to payments products.993 communications be accurate and, in particular, that they not emphasize the potential benefits of a service without a Product suitability requirements “fair and prominent indication of any relevant risks.” There Some regulatory frameworks also require that there be are also requirements that the communications be likely consideration of the financial objectives, financial situ- to be understood by the average member of the target ation, or needs (or similar concepts) of a specific con- group and that they not “disguise, diminish or obscure sumer before providing a financial service, particularly important information, statements or warnings.”991 where personal recommendations or advice are being provided. These requirements are in addition to any product design rules. The statement of advice and gen- 7.10  UNSUITABLE E-MONEY PRODUCTS eral advice rules in Australia’s Corporations Act provide an example of such requirements. These requirements a)  Risks to consumers apply to a wide range of financial products and services, The risk that particular e-money products may not be which could include non-cash payments products such as designed to be suitable for the consumer segments e-money.994 E-Money  145 NOTES 789 “Diversification of the Financial Services Ecosystem” in GSMA, State of the Industry Report on Mobile Money 2018. 790 World Bank Group, Global Findex Database 2017, chapter 2. 791 World Bank Group, Global Findex Database 2017, chapter 4. 792 “The Evolution of the Digital Ecosystem” in GSMA, State of the Industry Report on Mobile Money 2019. 793 “Regulatory Developments in 2019” in GSMA, State of the Industry Report on Mobile Money 2019. 794 GSMA, State of the Industry Report on Mobile Money 2019, 29. 795 GPFI, Report on Advancing Women’s Digital Financial Inclusion, s. 4.1. 796 See, for example, IMF, “Digital Financial Services and the Pandemic.” See also Jurd De Girancourt et al., “How the COVID-19 Crisis May Affect Electronic Payments.” 797 See, for example, the definitions of e-money and mobile money in Ehrentraud et al., Policy Responses to FinTech, 26, para 43, and 53; Adrian and Mancini-Griffoli, Rise of Digital Money, 4; and Financial Action Task Force, Virtual Curren- cies (see the description of e-money in the definition of virtual currency on page 4). A few examples of the various reg- ulatory frameworks that define e-money or electronic money are the broad definition in the EU Directive on Electronic Money Institutions 2009, art. 2; Ghana’s Payment Systems and Services Act 2019, s. 102, which refers to e-money being redeemable for cash as well as being accepted by a person; Indonesia’s E-Money Regulation 2018, art. 1(3), which states that one of the elements of electronic money is that the value deposited by a holder is “not savings as referred to in the law concerning banking”; and Singapore’s Payment Services Act 2019, s. 2—this definition unusually refers to the underlying value being “pegged” to a currency. 798 GSMA, “Mobile Money Glossary.” 799 World Bank Group, Good Practices, annex A, s. A1. 800 Basel Committee on Banking Supervision, “Guidance on Application of Core Principles” (Principle 4). 801 Directive 2009/110 on Electronic Money Institutions 2009 (EU). 802 Directive 2009/110 on Electronic Money Institutions 2009 (EU), art. 10. 803 Payment Systems and Services Act 2019 (Ghana), s. 21 and related definitions in s. 102. 804 Financial Services Act 2013 (Malaysia), s. 8 (1) and Division 1 of Part 1 of Schedule 1. 805 BNM Financial Services (Designated Payment Instruments) Order (2013), s. 2(d). 806 Corporations Act 2001 (Cth), Chapter 7 and the ePayments Code 2016 (Australia). 807 BI Regulation on Consumer Protection in Payments System 2014 (Indonesia). 808 BI Regulation on Consumer Protection in Payments System 2014 (Indonesia), art. 2. 809 Payment Systems and Services Act 2019 (Ghana), s. 102. 810 CBN Consumer Protection Framework 2016 (Nigeria), s. 1.2. 811 Buku and Mazer, “Fraud in Mobile Financial Services,” 2. See also ITU-T Focus Group on Digital Financial Services, Commonly Identified Consumer Protection Themes, s. 3.3. 812 Morawczynski, “Fraud in Uganda.” 813 Buku, “Innovation in Mobile Money.” 814 World Bank Group, Good Practices, annex A, ss. C4 and C6. 815 “Growing and Globalising” in GSMA, State of the Industry Report on Mobile Money 2019. 816 IMF, “Digital Financial Services and the Pandemic.” 817 ITU-T Focus Group on Digital Financial Services, Commonly Identified Consumer Protection Themes. 818 Committee on Payments and Market Infrastructures and World Bank Group, Payment Aspects of Financial Inclusion, s. 4.3.2 and Guideline 3. 819 See, for example, Kyamutetera, “Hackers Break Into Mobile Money System.” See also Stanbic Bank Uganda, MTN Uganda, and Airtel Uganda, “System Incident Impacting Bank.” 820 The Contingent Reimbursement Model Code for Authorised Push Payments Scams 2019 (UK). 821 EU Directive 2009/110 on Electronic Money Institutions 2009, art. 4. See also PSD2, art. 5. 822 BNM Guideline on E-Money 2016 (Malaysia), s. 7.1.1. 823 Staschen, “Basic Regulatory Enablers,” Box 4. 824 Payment Systems (E-Money) Regulations 2019 (Malawi), r. 22. 825 National Payment System Regulations 2014 (Kenya), s. 16(2)(g). 826 Use of Agents Directive 2020 (Ethiopia), art. 17(6) and Part VII. 827 National Payment System Regulations 2014 (Kenya), art. 20. 828 Use of Agents Directive 2020 (Ethiopia), art. 6. 829 Payment Systems and Services Act 2019 (Ghana), ss. 87 and 88. 830 Use of Agents Directive 2020 (Ethiopia), art. 9 and annex II. 831 Electronic Money Institutions Regulation 2016 (Afghanistan), r. 14(f). 832 National Payment System Regulations 2014 (Kenya), r. 17. 833 Payment Services Act 2019 (Singapore), s. 18 (prohibits a licensee providing payment services through an agent unless the agent is licensed). 834 BNM Guideline on E-Money 2016 (Malaysia), s. 7.1.3. 835 National Payment System Regulations 2014 (Kenya), r. 24. 836 PSD2, art. 97. 146   Consumer Risks in Fintech 837 PSD2, art. 4. 838 People’s Bank of China Measures for the Administration of Online Payment Business of Non-Bank Payment Institutions 2016 (China), art. 22–24. 839 PSD2, art. 73 and 74. 840 PSD2, art. 71. (The relevant period is 13 months.) 841 ePayments Code 2016 (Australia), clauses 11 and 12. 842 National Payment System Regulations 2014 (Kenya), r. 28(5). 843 PSD2, art. 51(5), 69 and 70. 844 Regulation on Electronic Fund Transfers 2016 (Afghanistan), art. 6(6). 845 PSD2, art. 72(1). 846 Payment Systems and Services Act 2019 (Ghana), art. 20(2). 847 World Bank Group, Good Practices, annex A, s. C6(a). 848 “Growing and Globalising” in GSMA, State of the Industry Report on Mobile Money 2019. 849 The World Bank Group’s Global Financial Inclusion and Consumer Protection Survey found that more than 75 percent of responding jurisdictions that permitted agent relationships had rules in place to hold a financial institution liable for its agents’ actions or omissions. See also Kerse et al., Technical Note on the Use of Agents. 850 National Payment System Regulations 2014 (Kenya), rr. 14(4) and (5). 851 BI Regulation on Consumer Protection in Payments System 2014 (Indonesia), s. 10. 852 Payment Systems and Services Act 2019 (Ghana), s. 86(1). 853 Use of Agents Directive 2020 (Ethiopia), art. 6(1). 854 Payment Systems (E-Money) Regulations 2019 (Malawi), s. 21 (3)(f). 855 Payment Systems and Services Act 2019 (Ghana), s. 91 (2)(b). 856 Regulation of Mobile and Agent Banking Services Directives 2012 (Ethiopia), art. 9.2.7. 857 Regulation of Mobile and Agent Banking Services Directives 2012 (Ethiopia), art. 13(1). 858 PSD2, art. 96(1). 859 ePayments Code (Australia), clauses 12 and 13. 860 PSD2, art. 55(5). 861 BNM Guideline on E-Money 2016 (Malaysia), s. 9.2. 862 G20, G20 High-Level Principles for Digital Financial Inclusion, Principle 4. 863 Committee on Payments and Market Infrastructures and World Bank Group, Payment Aspects of Financial Inclusion in the Fintech Era, Guiding Principle 3. 864 Executive summary and “A Step towards a Digital Future for All” in GSMA, State of the Industry Report on Mobile Money 2019. As noted above, other 2019 statistics from the GSMA report include 371 million active accounts (up 13.6 percent), 37.1 billion transaction volume (up 21.8 percent), and $690.1 billion in transaction value (up 26 percent). The GSMA estimates transaction value will be $1 trillion by 2023. 865 Safaricom, “Update on April 24th Network Outage.” 866 allAfrica, “Kenya to Investigate Mobile Operator’s M-Pesa Outage.” 867 Zimmerman and Baur, “Understanding How Consumer Risks.” 868 Payment Systems and Services Act 2019 (Ghana), arts. 20 and 15, respectively. 869 Payment Systems (E-Money) Regulations 2019 (Malawi), r. 5(2). 870 Payment Systems (E-Money) Regulations 2019 (Malawi), r. 15. 871 PSD2 applies to e-money institutions, as well as other payment service providers (see Article 1). However, a separate directive, Directive 2009/110 on Electronic Money Institutions 2009, covers the “taking up, pursuit and prudential supervision of the business of electronic money institutions.” 872 PSD2, art. 95. 873 National Payment System Regulations 2014 (Kenya), r. 27(2). 874 E-Money Regulations 9 (Malawi), rr. 14–17 . 875 Payment Systems and Services Act 2019 (Ghana), s. 45(1) (i). 876 Regulation on Electronic Fund Transfers (Afghanistan), art. 14(2) and (3). 877 Measures for the Administration of Online Payment Services 2016 (China), art. 31. 878 PSD2, art. 96. 879 Payment Systems and Services Act 2019 (Ghana), s. 45(2). 880 Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020 (Ethiopia), art. 12(2) and 13.2. 881 Regulation on Electronic Fund Transfers (Afghanistan), art. 14 (1). 882 Payment Systems and Services Act 2019 (Ghana), ss. 57–62. 883 PSD2, art. 89(1). 884 PSD2, art. 84, 89, and 93. 885 ePayments Code 2016 (Australia), clauses 14. 886 See, for example, G20, G20 High-Level Principles for Digital Financial Inclusion, Principles 2 and 5; Better Than Cash Alliance, Responsible Digital Payments Guidelines, Guideline 2. 887 Mobile Money Service Providers Practice Note 2019 (Eswatini), art. 22.4. 888 Payment Systems (E-Money) Regulations 2019 (Malawi), r. 17(3). 889 DAB Electronic Money Institutions Regulation 2016 (Afghanistan), r. 14(e)(2). 890 PSD2, art. 72. 891 PSD2, art. 88. E-Money  147 892 ePayments Code 2016 (Australia), Chapter E. 893 Chen, Fiorillo, and Hanouch, “Smartphones & Mobile Money.” 894 Committee on Payments and Market Infrastructures and World Bank Group, Payment Aspects of Financial Inclusion, s. 3.1.2.3; Committee on Payments and Market Infrastructures and World Bank Group, Payment Aspects of Financial Inclusion in the Fintech Era, s. 4.2.4. 895 Adrian and Mancini-Griffoli, Rise of Digital Money, 4 and following. 896 EU Directive 2009/110 on Electronic Money Institutions 2009, Recital para 13 and art. 6(3). 897 GSMA, Safeguarding Mobile Money, 5. 898 World Bank Group, Prudential Regulatory and Supervisory Practices (see “Approaches to Supervision”). 899 See Kerse and Staschen, Safeguarding Rules for Customer Funds. 900 Payment Systems (E-Money) Regulations 2019 (Malawi), Part IV. 901 PSD2, art. 10, and see also EU Directive 2009/110 on Electronic Money Institutions 2009, art. 7. 902 BI Regulation on E-Money 2018 (Indonesia), art. 48. 903 Payments Systems (Electronic Money) Regulations, 2015 (Tanzania), Part V. 904 National Payment System Regulations 2014 (Kenya), r. 25(3) and Fourth Schedule. 905 Payment Systems (E-Money) Regulations 2019 (Malawi), r. 7(7). More generally, for examples of spreading e-float funds across multiple banks and other fund safeguarding measures see Kerse and Staschen, Safeguarding Rules for Customer Funds and GSMA, Safeguarding Mobile Money. 906 Directive 2009/110 on Electronic Money Institutions 2009 (EU). 907 Payment Systems and Services Act 2019 (Ghana), s. 31. 908 Payment Systems (E-Money) Regulations 2019 (Malawi), r. 5(4). 909 Financial Services Act (Malaysia), s. 14(2). 910 Payment Services Act 2019 (Singapore), s. 20. 911 Payment Systems (E-Money) Regulations 2019 (Malawi),r. 5(5). 912 BI Regulation on E-Money, 2018 (Indonesia), art. 17(2). 913 Basel Committee on Banking Supervision, “Guidance on Application of Core Principles” (Principles 1 and 4). 914 BSP E-Money Circular 2009 (Philippines), s. 5(B). 915 National Payment System Regulations 2014 (Kenya), r. 25(2). 916 BNM Guideline on E-Money 2016 (Malaysia), s. 10.1. 917 Payment Systems (E-Money) Regulations 2019 (Malawi), r. 21(3). 918 BNM Guideline on Electronic Money (Malaysia), ss. 4, 5, and 14.2. 919 World Bank Group, Prudential Regulatory and Supervisory Practices (see especially table 4). 920 Izaguirre et al., Deposit Insurance Treatment of Money. 921 Izaguirre et al., Deposit Insurance Treatment of Money. 922 World Bank Group, Prudential Regulatory and Supervisory Practices (see “Approaches to Safety Nets”). 923 Committee on Payments and Market Infrastructures and World Bank Group, Payment Aspects of Financial Inclusion, s. 4.2.4 and Guideline 2. 924 Payment Systems and Services Act 2019 (Ghana), s. 46. 925 DAB Electronic Money Institutions Regulation 2016 (Afghanistan), r. 14. 926 BSP E-Money Circular 2009 (Philippines), ss. 2(2), 4(C), and 4(G). 927 Measures for the Administration of Online Payment Services by Non-Bank Payment Institutions 2016 (China), art. 7. 928 See Consumer Financial Protection Bureau. 2016. Final Rule on Prepaid Accounts under the Electronic Fund Transfer Act (Regulation E) and the Truth in Lending Act (Regulation Z) (USA). 929 Electronic Fund Transfer (Regulation E) 12 CFR Part 1005 (USA), para. 1005.18(b)(2)(xi). 930 Reserve Bank of Zimbabwe, “Cash-In, Cash-Out and Cash-Back Facilities.” 931 Electronic Money Institution’s Regulation 2016 (Afghanistan), art. 14(b). 932 Directive 2009/110 on Electronic Money Institutions 2009 (EU), art. 11. 933 Payment Systems and Services Act 2019 (Ghana), s. 29. 934 National Payment System Regulations 2014 (Kenya), r. 44(1). 935 Payment Systems (E-Money) Regulations 2019 (Malawi), r. 5(10). 936 BSP E-Money Circular 2009 (Philippines), s. 4C. 937 Payment Systems (E-Money) Regulations 2019 (Malawi), r. 5(5). 938 Payment Services Act 2019 (Singapore), s. 19. 939 Numerous international standards highlight this risk. See, for example, World Bank Group, Good Practices, annex A, ss. B3, B4, and B7; Committee on Payments and Market Infrastructures and World Bank Group, Payment Aspects of Financial Inclusion in the Fintech Era, Principle 5 (“Establish Responsible Digital Financial Practices to Protect Con- sumers”); Better Than Cash Alliance, Responsible Digital Payments Guidelines, Principle 3. See also Staschen, “Basic Regulatory Enablers.” 940 Mazer and Rowan, “Competition in Mobile Financial Services.” 941 Payment Systems (E-Money) Regulations 2019 (Malawi), r. 24(1). 942 Payment Systems and Services Act 2019 (Ghana), s. 44(b), and see also s. 45(6) regarding marketing materials. 943 BI Regulation on E-Money 2018 (Indonesia), art. 43, and BI Consumer Protection in Payment Service Regulation 2014 (Indonesia), art 3 and 11. 944 Financial Services Act 2013 (Malaysia), s. 124 (1) and Schedule 7, and Malaysia E Money Guideline 2008 (Malaysia), ss. 9.2(i) and 9.3. 148   Consumer Risks in Fintech 945 Consumer Protection Framework 2016 (Nigeria), s. 2.3. 946 PSD2, art. 52. 947 ePayments Code. 948 Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020 (Ethiopia), art. 12(2). 949 BI Consumer Protection in Payment Service Regulation 2014 (Indonesia), art. 11. 950 National Payment System Regulations 2014 (Kenya), r. 35(1). 951 Consumer Protection Framework 2016 (Nigeria), s. 2.3.1. 952 Mobile Money Service Providers Practice Note 2019 (Eswatini), s. 22.1. 953 PSD2, arts. 51 and 52. 954 National Payment System Regulations 2014 (Kenya), r. 35 (1). 955 Payment Systems (E-Money) Regulations 2019 (Malawi), r. 24(2). 956 BNM Guideline on Electronic Money 2008 (Malaysia), s. 9.3. 957 Consumer Protection Framework 2016 (Nigeria), s. 2.3.1. 958 United Kingdom Payment Account Regulations: Final Linked Services List 2018, and EBA, Final Report on Standard- ized Terminology. 959 Mazer, “Kenya’s Rules on Mobile Money Price Transparency Awareness.” 960 National Payment System Regulations 2014 (Kenya), r. 35(1)(b). 961 BNM Guideline on Electronic Money 2016 (Malaysia), s. 9(3)(i). 962 National Payment System Regulations 2014 (Kenya), rr. 41(1)(a) and (2). 963 People’s Bank of China Measures for the Administration of Online Payment Business of Non-Bank Payment Institutions 2016 (China), art. 7. 964 Payment Systems and Services Act 2019 (Ghana), ss. 453) and (4). 965 BI Regulation Concerning E-Money 2018 (Indonesia), art. 9.3. 966 BSP E-Money Circular 2009 (Philippines), s. 4(G). 967 Bold and Pillai, “The Impact of Shutting Down Mobile Money in Uganda.” 968 ePayments Code 2016 (Australia), clauses 4 .11–4.17 and 21. 969 PSD2, art. 52. 970 Payment Systems and Services Act 2019 (Ghana), s. 45(9). 971 PSD2, art. 55(3). 972 Better Than Cash Alliance, Responsible Digital Payments Guidelines, Guideline 3. 973 National Payment System Regulations 2014 (Kenya), r. 35. 974 PSD2, art. 57 and 58. 975 People’s Bank of China Measures for the Administration of Online Payment Business of Non-Bank Payment Institutions 2016 (China), art. 28. 976 Payment Systems (E-Money) Regulations 2019 (Malawi), r. 17(4). 977 World Bank Group, Good Practices, annex A, s. B6. 978 ePayments Code 2016 (Australia), clauses 5.8 and 7.1–7.7 979 Regulation of Mobile and Agent Banking Services Directives 2012 (Ethiopia), art. 12.8. 980 Mobile Money Service Providers Practice Note 2019 (Eswatini), s. 22.4(g). 981 Electronic Money Institution’s Regulation 2016 (Afghanistan), r. 14(e)(2). 982 World Bank Group, Good Practices, annex A, B1(c), and Better Than Cash Alliance, Responsible Digital Payments Guidelines, Principle 3. 983 PSD2, art. 51, and, in art. 4, the definition of a durable medium. 984 BNM Guideline on E-Money 2016 (Malaysia), s. 9.1. 985 World Bank Group, Good Practices, annex A, s. B2. 986 FCA, General Standards and Communication Rules, para 3.34–3.39. 987 FCA, General Standards and Communication Rules, para 3.18–3.24. 988 Payment Systems and Services Act 2019 (Ghana), s. 45(6)(a). 989 National Payment System Regulations 2014 (Kenya), r. 37, requires that advertisements be precise and clearly under- stood, not misleading, and comprehensive enough to inform customers properly of the main features and conditions. Further, the Financial Services Act (Malaysia) prohibits engaging in misleading and deceptive conduct in relation to the “nature, features, terms or price” of financial products and services. 990 For example, the commentary on the PSD2 notes that consumers should continue to be protected against unfair and misleading practices by other specified directives (such as 2005/29/EC, relating to unfair business to consumer prac- tices, and 2011/83/EU, relating to consumer rights). 991 FCA, General Standards and Communication Rules, s. 2.3.1A of Annex C—Amendments to the Banking: Conduct of Business Sourcebook. 992 G20, G20 High-Level Principles for Digital Financial Inclusion, Principle 1. 993 See Boeddu and Grady, Product Design and Distribution. 994 Corporations Act 2001 (Cth) (Australia), Part 7.7. REFERENCES Legislation, Binding Rules, and Regulatory Guidance Afghanistan. Electronic Money Institutions Regulation. 2016. Afghanistan. Regulation on Electronic Fund Transfers. 2016. Australia. ASIC Corporations (Product Intervention Order – Short Term Credit) Instrument 2019/917. 2019. Australia. Corporations Act (Cth). 2001. Australia. Corporations Amendment (Crowd-sourced Funding) Act (Cth). 2017. Australia. Corporations Amendment (Design and Distribution Obligations) Regulations (Cth). 2019. Australia. Corporations Regulations (Cth). 2001. Australia. ePayments Code. 2016. Australia. Explanatory Memoranda, A Corporations Amendment (Crowd-sourced Funding for Proprietary Companies) Bill 2017. Australia. National Consumer Credit Protection Act (Cth). 2009. Belgium. Consumer Credit Act. 1991. Brazil. National Monetary Council Resolution Number 4,656. April 26, 2018. Brazil. Securities and Exchange Commission Instruction No. 588, of July 13, 2017. California (United States of America). Consumer Privacy Act. 2018. China. Guide to the Administration of Recordation and Registration of Peer-to-Peer Lending Information Intermediaries. China Banking Regulatory Commission and other authorities, October 28, 2016. China. Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Information Intermediaries. China Banking Regulatory Commission, August 23, 2016. China. Guidelines for Online Lending Fund Depository Business. China Banking Regulatory Commission, February 22, 2017. China. Guiding Opinions on Promoting the Healthy Development of Internet Finance. 2015. China. Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions. China Banking Regulatory Commission and other authorities, August 17, 2016. China. Peer-to-Peer Lending Information Intermediaries of Guangdong Province—Detailed Implementation Rules for Recordation and Registration (Exposure Draft). February 14, 2017. China. People’s Bank of China Measures for the Administration of Online Payment Business of Non-Bank Payment Institutions. 2016. Dubai. Dubai Financial Services Authority Rulebook—April 2020. Dubai. Regulatory Law No. 1 of 2004. Eswatini. Mobile Money Service Providers Practice Note. 2019. Ethiopia. Licensing and Authorization of Payment Issuers Directive No. ONPS/01/2020. Ethiopia. Use of Agents Directive No. FIS/02/2020. EU (European Union). Directive 2002/65/EC on Distance Marketing of Consumer Financial Services. 2002. EU. Directive 2008/48 on Consumer Credit Agreements. 2008. 149 150   Consumer Risks in Fintech EU. Directive 2009/110 on Electronic Money Institutions. 2009. EU. Directive 2011/83 on Consumer Rights. 2011. EU. Directive 2014/65/EU on Markets in Financial Instruments. 2014. EU. Directive 2015/2366 on Payments Services. 2015. EU. Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). 2016. EU. Regulation 2020/1503 on European crowdfunding service providers for business. 2020. France. Official order No. 2014-559 of 30 May 2014 on crowdfunding. 2014. Ghana. Payment Systems and Services Act. 2019. Hong Kong. Hong Kong Monetary Authority Guiding Principles on Consumer Protection in Respect of Use of Big Data Analytics and Artificial Intelligence by Authorized Institutions. 2019. India. NBFC (Non-Banking Financial Company)—Peer to Peer Lending Platform (Reserve Bank) Directions. 2017. Indonesia. Bank Indonesia Regulation on Consumer Protection in Payments System. 2014. Indonesia. Bank Indonesia Regulation on E-Money. 2018. Indonesia. Financial Services Authority Circular Number 18/SEOJK.02/2017 Regarding Information Technology Risk Management and Management in Information Technology-Based Lending. Indonesia. Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services. Italy. Resolution no. 18592 of 26 June 2013. Japan. Financial Instruments and Exchange Act No. 25. 1948. Japan. Money Lending Business Act No. 32. May 13, 1983. Kenya. National Payment System Regulations. 2014. Korea (Republic of). Online Investment-Linked Finance and Protection of Users Act. 2019. Latvia. Consumer Rights Protection Law. 1999. Lithuania. Guidelines on Advertising Financial Services, Bank of Lithuania, 2012. Malawi. Payment Systems (E-Money) Regulations. 2019. Malaysia. Bank Negara Malaysia Financial Services (Designated Payment Instruments) Order. 2013. Malaysia. Bank Negara Malaysia Guideline on Electronic Money. 2016. Malaysia. Bank Negara Malaysia Guidelines on Recognized Markets SC-GL/6-2015 (R4-2020). Malaysia. Financial Services Act. 2013. Mexico. Banking and Securities Commission—General Provisions Applicable to Financial Technology Institutions. September 10, 2018, amended March 25, 2019. Mexico. Banking and Securities Commission—General Provisions of CONDUSEF on Transparency and Sound Practices Applicable to Financial Technology Institutions. July 9, 2019. Mexico. Financial Technology Institutions Law. 2018. Mexico. Law on Transparency for Financial Services. 2007. Netherlands. Consumer Credit Act. 2011. Nigeria. Central Bank of Nigeria Consumer Protection Framework. 2016. Paraguay. Circular SB. SG. No. 00065/2015. Peru. Emergency Decree No. 013-2020-JUS/DGTAIPD. 2020. Philippines. Bangko Sentral ng Pilipinas E-Money Circular. 2009. Philippines. National Privacy Commission Circular No. 20-01 on Guidelines on the Processing of Personal Data for Loan-Related Transactions. 2020. Portugal. Banco de Portugal Circular Letter No. CC/2020/00000044 on Best Practices Applicable to the Selling of Retail Banking Products and Services through Digital Channels. Portugal. Notice of Banco de Portugal No. 4/2017. Singapore. Payment Services Act. 2019. South Africa. Department of Trade and Industry Regulations on Review of Limitations on Fees and Interest Rates. 2015. South Africa. National Credit Act. 2005. Tanzania. Payments Systems (Electronic Money) Regulations. 2015. UK. The Contingent Reimbursement Model Code for Authorised Push Payments Scams. 2019. UK. Financial Conduct Authority Client Assets Sourcebook—October 2020. UK. Financial Conduct Authority Conduct of Business Sourcebook—October 2020. UK. Financial Conduct Authority Consumer Credit Sourcebook—October 2020. UK. Financial Conduct Authority Principles for Businesses—October 2020. References  151 UK. Financial Conduct Authority Senior Management Arrangements, Systems and Controls Sourcebook— October 2020. UK. Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (SI 2001/544). USA. Consumer Financial Protection Bureau’s Final Rule on Prepaid Accounts under the Electronic Fund Transfer Act. 2016. USA. Electronic Fund Transfer (Regulation E) 12 CFR Part 1005. USA. Regulation Crowdfunding, General Rules and Regulations 17 CFR Part 227. USA. Securities Act. 1933. USA. Truth in Lending (Regulation Z). USA. Truth in Lending Act. 1968. Other Sources Adrian, T., and T. Mancini-Griffoli. The Rise of Digital Money (Fintech Note No. 19/001). International Monetary Fund, 2019. https://www.imf.org/en/Publications/fintech-notes/Issues/2019/07/12/The- Rise-of-Digital-Money-47097#:~:text=FinTech%20Notes&text=The%20series%20will%20carry%20 work,banks%20and%20credit%20card%20companies. AFI (Alliance for Financial Inclusion). “Digitally Delivered Credit: Consumer Protection Issues and Policy Responses to New Models of Digital Lending.” AFI Global, 2017. https://www.afi-global.org/sites/ default/files/publications/2017-11/AFI_CEMC_digital%20survey_AW2_digital.pdf. AFI. “Digitally Delivered Credit: Policy Guidance Note and Results from Regulator Survey.” AFI Global, 2015. https://www.afi-global.org/sites/default/files/publications/guidelinenote-17_cemc_digitally_ delivered.pdf. AFI. “Policy Framework for Responsible Digital Credit.” AFI Global, 2020. https://www.afi-global.org/ publications/3216/Policy-Framework-for-Responsible-Digital-Credit. AFI. “Policy Model for E-Money.” AFI Global, 2019. https://issuu.com/afi-global/docs/afi_dfs_emoney_aw_ digital. AI Now Institute. “Algorithmic Accountability Policy Toolkit.” New York University, 2018. allAfrica. “Kenya to Investigate Mobile Operator’s M-Pesa Outage.” allAfrica InFocus. https://allafrica.com/ view/group/main/main/id/00065353.html. ASBA (Association of Supervisors of Banks of the Americas) and IDB (Inter-American Development Bank). Consumer Protection in the New Environment of Financial Technological Innovation: Regulatory and Supervisory Considerations. ASBA and IDB, 2020. http://www.asbasupervision.com/en/bibl/publications- of-asba/working-groups/2378-consumer-protection-1/file. ASBA and IDB. Global Fintech Regulation and Supervision Practices. ASBA and IDB, 2020. http://www. asbasupervision.com/en/bibl/publications-of-asba/working-groups/2205-global-fintech-regulation-and- supervision-practices/file. ASIC (Australian Securities and Investments Commission). Crowd-Sourced Funding: Guide for Companies (Regulatory Guide 261). ASIC, June 2020. https://download.asic.gov.au/media/5702668/rg261- published-19-june-2020-20200727.pdf. ASIC. Facilitating Digital Financial Services Disclosures (ASIC Regulatory Guide 221), March 2016. https:// download.asic.gov.au/media/3798806/rg221-published-24-march-2016.pdf. ASIC. Marketplace Lending (Peer-to-Peer Lending) Products (Information Sheet 213). ASIC, 2016. https:// asic.gov.au/regulatory-resources/financial-services/marketplace-lending/marketplace-lending-peer-to- peer-lending-products/. ASIC. Survey of Marketplace Lending Providers (Report 526). ASIC, 2017, para 17–18. https://download.asic. gov.au/media/4276660/rep-526-published-1-june-2017.pdf. ASIC. Survey of Marketplace Lending Providers: 2016–2017 (Report 559). ASIC, 2017, para 45–46. https:// download.asic.gov.au/media/4573524/rep559-published-14-december-2017.pdf. ASIC. Survey of Marketplace Lending Providers: 2017–2018 (Report 617). ASIC, 2019. https://download.asic. gov.au/media/5074452/rep617-published-12-april-2019.pdf. Australian Competition and Consumer Commission. Guidelines for Developing Effective Voluntary Industry Codes of Conduct. 2011. https://www.accc.gov.au/system/files/Guidelines%20for%20developing%20 effective%20voluntary%20industry%20codes%20of%20conduct.pdf. Bae. H. “S. Korea to Place Investment Cap on Peer-to-Peer Lending” The Korea Herald, March 30, 2020. http://www.koreaherald.com/view.php?ud=20200330000800#. Balyuk, T. “Financial Innovation and Borrowers: Evidence from Peer-to-Peer Lending” (Rotman School of Management Working Paper No. 2802220). 2019. https://ssrn.com/abstract=2802220. Basel Committee on Banking Supervision. “Guidance on the Application of the Core Principles for Effective Banking Supervision to the Regulation and Supervision of Institutions Relevant to Financial Inclusion.” Bank for International Settlements, 2016. https://www.bis.org/bcbs/publ/d383.pdf. 152   Consumer Risks in Fintech Berg, T., V. Burg, A. Gombovi, and M. Puri. “On the Rise of FinTechs—Credit Scoring Using Digital Footprints.” The Review of Financial Studies 33, no. 7 (July 2020), 2845–97. Better Than Cash Alliance. Responsible Digital Payments Guidelines. Better Than Cash Alliance, 2016. https://btca-prod.s3.amazonaws.com/documents/212/english_attachments/DigitalGuidelines-withMemo- MECH-Update1d.pdf?1504714863. BFA Global. “Dipstick Surveys: The Financial Impact of Covid-19 on Low-Income Populations.” BFA Global, 2020. https://bfaglobal.com/our-work/covid-19-impact/. Blechman, J. “Mobile Credit in Kenya and Tanzania: Emerging Regulatory Challenges in Consumer Protection, Credit Reporting and Use of Customer Transactional Data.” African Journal of Information and Communication, no. 17, 2016. http://www.macmillankeck.pro/media/pdf/AJIC_Issue_17_2016_ Blechman.pdf. Boeddu, G., and R. Grady. Product Design and Distribution: Emerging Regulatory Approaches for Retail Banking Products (Discussion Note). World Bank Group, 2019. http://documents1.worldbank.org/ curated/en/993431567620025068/pdf/Product-Design-and-Distribution-Emerging-Regulatory- Approaches-for-Retail-Banking-Products-Discussion-Note.pdf. Bold, C., and R. Pillai. 2016. “The Impact of Shutting Down Mobile Money in Uganda.” CGAP Blog, March 7, 2016. https://www.cgap.org/blog/impact-shutting-down-mobile-money-uganda. Buku, M. “Innovation in Mobile Money: What Are the Risks?” CGAP Blog, May 25, 2017. Buku, M., and R. Mazer. “Fraud in Mobile Financial Services: Protecting Consumers, Providers, and the System.” CGAP Brief, April 2017. https://www.cgap.org/sites/default/files/Brief-Fraud-in-Mobile- Financial-Services-April-2017.pdf. Busara Center for Behavioral Economics. Pricing Transparency, Switching Costs, and Accountability. Final Report: Experimental Results and Analysis. 2017. Caplan, R., J. Donovan, L. Hanson, and J. Matthews. Algorithmic Accountability: A Primer. Data & Society, 2018. https://datasociety.net/library/algorithmic-accountability-a-primer/. CCAF (Cambridge Centre for Alternative Finance). The Global Alternative Finance Market Benchmarking Report. CCAF, 2020. https://www.jbs.cam.ac.uk/faculty-research/centres/alternative-finance/publications/ the-global-alternative-finance-market-benchmarking-report/. CCAF. The Third Asia Pacific Region Alternative Finance Industry Report. CCAF, 2018. https://www.jbs.cam. ac.uk/fileadmin/user_upload/research/centres/alternative-finance/downloads/2018-3rd-asia-pacific- alternative-finance-industry-report.pdf. Central Bank of Ireland. Consumer Notice on Crowdfunding, Including Peer-to-Peer Lending. Information Notice, June 2014. Central Bank of Kenya. The 2016 FinAccess Household Survey on Financial Inclusion. Kenya National Bureau of Statistics and FSD Kenya, 2016. https://s3-eu-central-1.amazonaws.com/fsd-circle/wp-content/ uploads/2016/02/30093031/The-2016-FinAccess-household-survey-report4.pdf. CGTN Africa. “Google Fails to Stamp Out Short-Term Payday Lending Apps.” CGTN Africa, January 24, 2020. https://africa.cgtn.com/2020/01/24/google-fails-to-stamp-out-short-term-payday-lending-apps/. Chen, G., A. Fiorillo, and M. Hanouch. “Smartphones & Mobile Money: Principles for UI/UX Design (1.0)” (slide deck). Consultative Group to Assist the Poor, October 2016. https://www.cgap.org/sites/default/ files/publications/slidedeck/principlesofsmartphonedesign05oct16-161005230428.pdf. Committee of Advertising Practice (UK). “Trivialisation in Short-Term High-Cost Credit Advertisements” (Advertising Guidance). June 2015. https://www.asa.org.uk/asset/3EE84177-B1BE-4E77- 9292EA4F7CD5091E.FFBC27CC-F120-4877-BD230015141DE7CE/. Committee on the Global Financial System and Financial Stability Board Working Group. FinTech Credit: Market Structure, Business Models and Financial Stability Implications. Financial Stability Board and Committee on the Global Financial System, May 22, 2017. https://www.bis.org/publ/cgfs_fsb1.pdf. Committee on Payments and Market Infrastructures and World Bank Group. Payment Aspects of Financial Inclusion. Bank for International Settlements, 2016. https://www.bis.org/cpmi/publ/d144.htm. Committee on Payments and Market Infrastructures and World Bank Group. Payment Aspects of Financial Inclusion in the Fintech Era. Bank for International Settlements, 2020. https://www.bis.org/cpmi/publ/ d191.htm. Cornelli, G., J. Frost, L. Gambacorta, R. Rau, R. Wardrop, and T. Ziegler. Fintech and Big Tech Credit: A New Database (Working Paper No. 887). Bank for International Settlements, 2020. https://www.bis.org/publ/ work887.htm. Davis, K., and J. Murphy. “Peer-to-Peer Lending: Structures, Risks and Regulation.” JASSA The Finsia Journal of Applied Finance, no. 3 (2016), 37–44. https://www.finsia.com/docs/default-source/jassa-new/ JASSA-2016-/jassa-2016-issue-3/jassa-2016-iss-3-complete-issue.pdf. Deng, C., and X. Yu. “China’s Once-Hot Peer-to-Peer Lending Business Is Withering.” Wall Street Journal, February 2, 2020. https://www.wsj.com/articles/chinas-once-hot-peer-to-peer-lending-business-is- withering-11580644804. References  153 Dentons. “SEC Adopts Final Rules for Securities Crowdfunding under Title III of the JOBS Act.” Dentons, December 2015. https://www.dentons.com/en/~/media/7ee86097b5ad4e47a7469ea3cb554e87.ashx. Duoguang, B. “Growing with Pain: Digital Financial Inclusion in China.” Chinese Academy of Financial Inclusion, 2018. http://www.cafi.org.cn/upload/file/20190121/1548034976707794.pdf. EBA (European Banking Authority). Final Report on Guidelines on Loan Origination and Monitoring (EBA/ GL/2020/06). EBA, 2020. https://eba.europa.eu/sites/default/documents/files/document_library/ Publications/Guidelines/2020/Guidelines%20on%20loan%20origination%20and%20monitoring/884283/ EBA%20GL%202020%2006%20Final%20Report%20on%20GL%20on%20loan%20origination%20 and%20monitoring.pdf. EBA. Final Report on Standardized Terminology, Fee Information Documents and Statement of Fees for Common Services Linked to Payments Accounts. EBA, 2017. EBA. “Opinion of the European Banking Authority on Lending-Based Crowdfunding” (EBA/Op/2015/03). EBA, February 26, 2015. https://eba.europa.eu/documents/10180/983359/EBA-Op-2015-03+%28EBA+ Opinion+on+lending+based+Crowdfunding%29.pdf. EBA. Second EBA Report on the Application of the Guidelines on Product Oversight and Governance (POG) Arrangements (EBA/GL/2015/18) (EBA/REP/2020/28). EBA, 2020. https://eba.europa.eu/sites/default/ documents/files/document_library/Publications/Reports/2020/935640/Second%20EBA%20report%20 on%20the%20application%20of%20the%20POG%20guidelines%20arrangements.pdf. EC (European Commission). Behavioral Study on the Digitalisation of the Marketing and Distance Selling of Retail Financial Services. EC, April 2019. https://ec.europa.eu/info/sites/info/files/live_work_travel_in_ the_eu/consumers/digitalisation_of_financial_services_-_main_report.pdf. EC. Crowdfunding Explained. EC, 2015. https://ec.europa.eu/docsroom/documents/10229/attachments/1/ translations/en/renditions/pdf. EC. Crowdfunding in the EU Capital Markets Union. EC, 2016. https://ec.europa.eu/info/system/files/ crowdfunding-report-03052016_en.pdf. EC. “Inception Impact Assessment: Legislative Proposal for an EU Framework on Crowd and Peer to Peer Finance.” EC, 2017. https://ec.europa.eu/info/law/better-regulation/initiative/1166/publication/124034/ attachment/090166e5b61525a3_fr. EC. “Proposal for a Directive of the European Parliament and of the Council amending Directive 2014/65/ EU on markets in financial instruments.” EC, 2018. https://eur-lex.europa.eu/legal-content/EN/ TXT/?uri=CELEX:52018PC0099 EC. “Proposal for a Regulation of the European Parliament and of the Council on European Crowdfunding Service Providers (ECSP) for Business.” EC, 2018. https://eur-lex.europa.eu/resource. html?uri=cellar:0ea638be-22cb-11e8-ac73-01aa75ed71a1.0003.02/DOC_1&format=PDF. The Economist. “Created to Democratise Credit, P2P Lenders Are Going After Big Money.” The Economist, December 5, 2019. https://www.economist.com/finance-and-economics/2019/12/05/created-to- democratise-credit-p2p-lenders-are-going-after-big-money. EFIN (European Financial Inclusion Network) Working Group on Over-Indebtedness. Indicators to Monitor Over-Indebtedness. EFIN, 2016. http://mfc.org.pl/wp-content/uploads/2017/03/EFIN-WG-Over- Indebtedness-Indicators-VF6Dec.pdf.pdf. Ehrentraud, J., D. Garcia Ocampo, L. Garzoni, and M. Piccolo. Policy Responses to Fintech: A Cross-Country Overview (FSI Insights on Policy Implementation No. 23). Bank for International Settlements, 2020. https://www.bis.org/fsi/publ/insights23.pdf. European Central Bank. Guide to Assessments of Fintech Credit Institution License Applications. 2018. European Parliamentary Research Service. A Governance Framework for Algorithmic Accountability and Transparency. April 2019. Faridi, O. “P2P Fintech Lending Sector in Indonesia May Struggle Due to Risky Loans, as Lenders Rejected Over 50% of Restructuring Requests.” Crowdfund Insider, June 11, 2020. crowdfundinsider. com/2020/06/162599-p2p-fintech-lending-sector-in-indonesia-may-struggle-due-torisky-loans-as- lenders-rejected-over-50-of-restructuring-requests/. Financial Action Task Force. Virtual Currencies: Key Definitions and Potential AML/CFT Risks. Financial Action Task Force, 2014. https://www.fatf-gafi.org/media/fatf/documents/reports/Virtual-currency-key- definitions-and-potential-aml-cft-risks.pdf. FCA (Financial Conduct Authority). Detailed Rules for the Price Cap on High-Cost Short-Term Credit Including Feedback on CP14/10 and Final Rules (PS14/16). FCA, 2014. FCA. The FCA’s Regulatory Approach to Crowdfunding (and Similar Activities) (CP13/13). FCA, October 2013. https://www.fca.org.uk/publication/consultation/cp13-13.pdf. FCA. The FCA’s Regulatory Approach to Crowdfunding over the Internet, and the Promotion of Non-Readily Realisable Securities by Other Media: Feedback to CP13/13 and Final Rules (PS14/04). FCA, 2014. https://www.fca.org.uk/publication/policy/ps14-04.pdf. FCA. Feedback Statement FS16/10 on Smarter Consumer Communications. FCA, October 2016. https:// www.fca.org.uk/publication/feedback/fs16-10.pdf. 154   Consumer Risks in Fintech FCA. Financial Lives Survey. FCA, 2020. https://www.fca.org.uk/publications/research/understanding- financial-lives-uk-adults. FCA. General Standards and Communication Rules for the Payment Services and E-money Sectors (PS19/3). FCA, 2019. https://www.fca.org.uk/publication/policy/ps19-03.pdf. FCA. Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms: Feedback on Our Post- Implementation Review and Proposed Changes to the Regulatory Framework (CP18/20). FCA, 2018. https://www.fca.org.uk/publication/consultation/cp18-20.pdf. FCA. Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms: Feedback to CP18/20 and Final Rules (CP19/14). FCA, 2019. https://www.fca.org.uk/publication/policy/ps19-14.pdf. FCA. Message Received? The Impact of Annual Summaries, Text Alerts, and Mobile Apps on Consumer Banking Behavior (FCA Occasional Paper No. 10). FCA, March 2015. https://www.fca.org.uk/publication/ occasional-papers/occasional-paper-10.pdf. FCA. “A Review of the Regulatory Regime for Crowdfunding and the Promotion of Non-Readily Realisable Securities by Other Media.” FCA, February 2015. https://www.fca.org.uk/publication/thematic-reviews/ crowdfunding-review.pdf. FCA. “Temporary Intervention on the Marketing of Speculative Mini-Bonds to Retail Investors.” FCA, November 2019. https://www.fca.org.uk/publication/tpi/temporary-intervention-marketing-speculative- mini-bonds-retail-investors.pdf. Financial Markets Authority of New Zealand. Fair Dealing in Advertising and Communications— Crowdfunding and Peer-to-Peer Lending. Financial Markets Authority, 2018. https://www.fma.govt.nz/ compliance/guidance-library/advertising-and-comms-in-crowdfunding-and-p2p/. Financial Services Agency (Japan). Amendment of Financial Instruments and Exchange Act, and so on (Act No.44 of 2014) [Briefing Materials], May 2014. Financial Times. “Ant Posed Threat to China’s Centralised Control.” Financial Times, November 9, 2020. https://www.ft.com/content/e703082a-2007-4bd3-aebc-f3e26f6085ae. FinCoNet (International Financial Consumer Protection Organisation). “FinCoNet Annual General Meeting 2020,” press release, November 2020. http://www.finconet.org/Press-release-FinCoNet_AGM-Nov-2020. pdf. FinCoNet. FinCoNet Report on Responsible Lending. FinCoNet, 2014. http://www.finconet.org/FinCoNet- Responsible-Lending-2014.pdf. FinCoNet. Guidance to Supervisors on Digitalisation of Short-Term, High-Cost Consumer Credit. FinCoNet, February 2019. http://www.finconet.org/Guidance_Supervisors_Digitalisation_STHCCC.pdf. FinCoNet. Guidance to Supervisors on the Setting of Standards in the Field of Sales Incentives and Responsible Lending. FinCoNet, 2016. FinCoNet. Report on the Digitalisation of Short-Term, High-Cost Consumer Credit. FinCoNet, November 2017. http://www.finconet.org/Digtalisation-Short-term-High-cost-Consumer-Credit.pdf. FinCoNet. SupTech Tools for Market Conduct Supervisors. FinCoNet, November 2020. http://www.finconet. org/FinCoNet-Report-SupTech-Tools_Final.pdf. FSD Kenya (Financial Sector Deepening Kenya). Digital Credit Audit Report. FSD Kenya, 2019. https:// s3-eu-central-1.amazonaws.com/fsd-circle/wp-content/uploads/2019/11/13160713/Digital-Credit-audit- report.pdf. FSD Kenya. “Tech-Enabled Lending in Africa,” presentation, August 28, 2018. https://s3-eu-central-1. amazonaws.com/fsd-circle/wp-content/uploads/2018/10/02095806/FSD-Kenya-CIS-Digital-Credit.pdf. FTC (USA Federal Trade Commission). Mobile Privacy Disclosures: Building Trust through Transparency (FTC Staff Report). FTC, February 2013. https://www.ftc.gov/sites/default/files/documents/reports/ mobile-privacy-disclosures-building-trust-through-transparency-federal-trade-commission-staff- report/130201mobileprivacyreport.pdf. G20 (Group of Twenty). G20 High-Level Principles for Digital Financial Inclusion. Global Partnership for Financial Inclusion, 2016. https://www.gpfi.org/publications/g20-high-level-principles-digital-financial- inclusion. G20/OECD (Organisation for Economic Co-operation and Development) Task Force on Financial Consumer Protection. Considerations for the Application of the G20/OECD High-Level Principles on Financial Consumer Protection to Digital and Alternative Financial Services. OECD, 2018. G20/OECD Task Force on Financial Consumer Protection. Effective Approaches for Financial Consumer Protection in the Digital Age: FCP Principles 1, 2, 3, 4, 6 and 9. OECD, 2019. http://www.oecd.org/ finance/financial-education/Effective-Approaches-FCP-Principles_Digital_Environment.pdf. G20/OECD Task Force on Financial Consumer Protection. Effective Approaches to Support the Implementations of the G20 High-Level Principles on Financial Consumer Protection. OECD, 2014. https://www.oecd.org/g20/topics/financial-sector-reform/financialconsumerprotection.htm. G20/OECD Task Force on Financial Consumer Protection. Financial Consumer Protection Policy Approaches in the Digital Age. OECD, 2018. https://www.oecd.org/finance/G20-OECD-Policy-Guidance-Financial- Consumer-Protection-Digital-Age-2018.pdf. References  155 Gibbens, E. “Helping Small Businesses Navigate through COVID-19.” IFC Insights, IFC, March 20, 2020. https://www.ifc.org/wps/wcm/connect/news_ext_content/ifc_external_corporate_site/news+and+events/ news/insights/smes-covid-19. GPFI (Global Partnership for Financial Inclusion). Data Protection and Privacy for Alternative Data (GPFI- FCPL Sub-Group Discussion Paper). GPFI, May 2018. https://www.gpfi.org/sites/gpfi/files/documents/ Data_Protection_and_Privacy_for_Alternative_Data_WBG.pdf. GPFI. Report on Advancing Women’s Digital Financial Inclusion. GPFI, 2020. https://www.gpfi.org/sites/gpfi/ files/sites/default/files/saudig20_women.pdf. Grady, R., et al. Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting (Discussion Note). World Bank Group, 2018. http://documents.worldbank.org/curated/ en/677281542207403561/pdf/132035-WP-FCP-New-Forms-of-Data-Processing.pdf. GSMA (GSM Association). “Mobile Money Glossary,” https://www.gsma.com/mobilefordevelopment/ mobile-money/glossary/. GSMA. Safeguarding Mobile Money: How Providers and Regulators Can Ensure That Customer Funds Are Protected. GSMA, 2016. https://www.gsma.com/mobilefordevelopment/resources/safeguarding- mobile-money-how-providers-and-regulators-can-ensure-that-customer-funds-are-protected/. GSMA. State of the Industry Report on Mobile Money 2018. GSMA, 2018. https://www.gsma.com/ mobilefordevelopment/wp-content/uploads/2019/02/2018-State-of-the-Industry-Report-on-Mobile- Money.pdf. GSMA. State of the Industry Report on Mobile Money 2019. GSMA, 2019. https://www.gsma.com/sotir/ wp-content/uploads/2020/03/GSMA-State-of-the-Industry-Report-on-Mobile-Money-2019-Full-Report.pdf. Guzman, L. “SEC to Shut Down Eight More Online Lending Apps.” CNN Philippines, September 27, 2019. https://www.cnnphilippines.com/business/2019/9/27/sec-illegal-online-lending-issuances.html. Havrylchyk, O. Regulatory Framework for Loan-Based Crowdfunding Platforms (Economics Department Working Papers No. 1513). OECD, 2018. http://www.oecd.org/officialdocuments/ publicdisplaydocumentpdf/?cote=ECO/WKP(2018)61&docLanguage=En. High-Level Expert Group on Artificial Intelligence. Ethics Guidelines for Trustworthy AI. EC, 2018. https:// ec.europa.eu/newsroom/dae/document.cfm?doc_id=60419. Hornby, L., and A. Zhang. “China’s Middle Class Hit by Shadow Banking Defaults.” Financial Times, December 26, 2018. https://www.ft.com/content/c55901f0-ff7d-11e8-aebf-99e208d3e521. Huang, R. H. “Online P2P Lending and Regulatory Responses in China: Opportunities and Challenges.” European Business Organization Law Review 19, no. 1 (2018): 63–92. https://doi.org/10.1007/s40804- 018-0100-z. ICCR (International Committee on Credit Reporting). Use of Alternative Data to Enhance Credit Reporting to Enable Access to Digital Financial Services by Individuals and SMEs Operating in the Informal Economy (Guidance Note). ICCR, 2018. https://www.gpfi.org/sites/gpfi/files/documents/Use_of_Alternative_Data_ to_Enhance_Credit_Reporting_to_Enable_Access_to_Digital_Financial_Services_ICCR.pdf. IMF (International Monetary Fund). “Digital Financial Services and the Pandemic: Opportunities and Risks for Emerging and Developing Economies” (IMF Special Series on COVID-19). IMF, July 1, 2020. https:// www.imf.org/en/Publications/SPROLLs/covid19-special-notes. IMF. The Promise of Fintech: Financial Inclusion in the Post COVID-19 Era. IMF, 2020. https://www.imf.org/ en/Publications/Departmental-Papers-Policy-Papers/Issues/2020/06/29/The-Promise-of-Fintech-Financial- Inclusion-in-the-Post-COVID-19-Era-48623. Intergovernmental Fintech Working Group (South Africa). IFWG Fintech Workshop 19–20 April 2018. Financial Intelligence Centre, National Treasury, Financial Sector Conduct Authority, and South African Reserve Bank, 2018. https://www.fic.gov.za/Documents/Final%20IFWG%20Report_April%20 2018(lower%20res%20email%20version).pdf. IOSCO (International Organization of Securities Commissions). IOSCO Research Report on Financial Technologies (Fintech) (FR02/2017). IOSCO, 2017. https://www.iosco.org/library/pubdocs/pdf/ IOSCOPD554.pdf. ITU-T (International Telecommunications Union) Focus Group on Digital Financial Services. Commonly Identified Consumer Protection Themes for Digital Financial Services (05/2016). International Telecommunications Union, 2016. https://www.itu.int/en/ITU-T/focusgroups/dfs/Documents/09_2016/ ConsumerProtectionThemesForBestPractices.pdf. ITU-T Focus Group on Digital Financial Services. ITU Focus Group Digital Financial Services: Main Recommendations (03/2017). International Telecommunications Union, 2017. https://www.itu.int/en/ ITU-T/focusgroups/dfs/Documents/201703/ITU_FGDFS_Main-Recommendations.pdf. Izaguirre, J. C., and R. Mazer. “How Regulators Can Foster More Responsible Digital Credit.” CGAP Blog, November 5, 2018. https://www.cgap.org/blog/how-regulators-can-foster-more-responsible-digital- credit. Izaguirre, J. C., M. Kaffenberger, and R. Mazer. “It’s Time to Slow Digital Credit’s Growth in East Africa.” CGAP Blog, 2018. https://www.cgap.org/blog/its-time-slow-digital-credits-growth-east-africa. 156   Consumer Risks in Fintech Izaguirre, J. C., R. Mazer, and L. Graham. “Digital Credit Market Monitoring in Tanzania” (slide deck). Consultative Group to Assist the Poor, September 2018. https://www.cgap.org/sites/default/files/ publications/slidedeck/Digital-Credit-Market-Monitoring-in-Tanzania-Slide-Deck-9-25-18.pdf. Izaguirre, J. C., et al. “Deposit Insurance and Digital Financial Inclusion.” CGAP Brief, October 2016. https://www.cgap.org/sites/default/files/Brief_Deposit_Insurance_and_Digital_Financial_Inclusion.pdf. Izaguirre, J. C., et al. Deposit Insurance Treatment of E-Money: An Analysis of Policy Choices (CGAP Technical Note). Consultative Group to Assist the Poor, 2019. https://www.cgap.org/sites/default/files/ publications/2019_10_Technical_Note_Deposit_Insurance_Treatment_EMoney_0.pdf. Jurd De Girancourt, F., M. Kuyoro, N. Ofosu-Amaah, E. Seshie, and F. Twum. “How the COVID-19 Crisis May Affect Electronic Payments in Africa.” McKinsey & Company Financial Services, June 4, 2020. https://www.mckinsey.com/industries/financial-services/our-insights/how-the-covid-19-crisis-may-affect- electronic-payments-in-africa. Kaffenberger, M., and P. Chege. “Digital Credit in Kenya: Time for Celebration or Concern?” CGAP Blog, October 2016. https://www.cgap.org/blog/digital-credit-kenya-time-celebration-or-concern. Kaffenberger, M., and E. Totolo. A Digital Credit Revolution: Insights from Borrowers in Kenya and Tanzania (Working Paper). Consultative Group to Assist the Poor, 2018. https://www.cgap.org/sites/default/files/ publications/Working-Paper-A-Digital-Credit-Revolution-Oct-2018.pdf. Karakas, C., and C. Stamegna. “Defining an EU-Framework for Financial Technology (Fintech): Economic Perspectives and Regulatory Challenges.” Law and Economics Yearly Review 7, no. 1 (2018): 106–29. http://www.laweconomicsyearlyreview.org.uk/Law_and_Economics_Yearly_Review_LEYR_Journal_vol_7_ part_1_2018.pdf. Kerse, M., and S. Staschen. Safeguarding Rules for Customer Funds Held by EMI and GSMA (CGAP Technical Note). Consultative Group to Assist the Poor, 2018. https://www.cgap.org/sites/default/files/ publications/Technical-Note-Safeguarding-Funds-Dec-2018.pdf. Kerse, M., et al. Technical Note on the Use of Agents by Digital Financial Services Providers (Technical Note). Consultative Group to Assist the Poor, 2020. https://www.cgap.org/sites/default/files/ publications/2020_02_Technical_Note_Use_Agents_Dig_Fin_Serv_Providers.pdf. Kyamutetera, M. “Hackers Break Into Mobile Money System, Make Off with Unspecified Billions Belonging to Airtel, MTN, Stanbic, and Other Financial Institutions.” The CEO East Africa, October 5, 2020. https:// www.ceo.co.ug/hackers-break-into-mobile-money-system-make-off-with-unspecified-billions-belonging- to-airtel-mtn-stanbic-and-other-financial-institutions/. Lee, N., et al. “Algorithmic Bias Detection and Mitigation: Best Practices and Policies to Reduce Consumer Harms.” Brookings, May 22, 2019. https://www.brookings.edu/research/algorithmic-bias-detection-and- mitigation-best-practices-and-policies-to-reduce-consumer-harms/. Lenz, R. “Peer-to-Peer Lending—Opportunities and Risks.” European Journal of Risk Regulation 7, no. 4 (2016): 688–700. https://www.cambridge.org/core/journals/european-journal-of-risk-regulation/article/ peertopeer-lending-opportunities-and-risks/9B9E21667A148330DDA491775A23AF5E. Liu, J. “The Dramatic Rise and Fall of Online P2P Lending in China.” Tech Crunch, August 2, 2018. https:// techcrunch.com/2018/08/01/the-dramatic-rise-and-fall-of-online-p2p-lending-in-china/. Lo, B. “If It Ain’t Broke: The Case for Continued SEC Regulation of P2P Lending.” Harvard Business Law Review Online 6 (2016): 87–110. https://www.hblr.org/hblr-online-volume-6-2016/. Makortoff, K. “Peer-to-Peer Lender Funding Secure Goes into Administration.” The Guardian, October 24, 2019. https://www.theguardian.com/money/2019/oct/23/peer-to-peer-lender-funding-secure- administration-pawnbroker. Mazer, R. “Does Transparency Matter: Assessing the Impact of Improved Disclosure in Digital Financial Services in Kenya” (slide deck). Consultative Group to Assist the Poor, 2018. https://www.cgap.org/sites/ default/files/publications/slidedeck/2018_03-Slidedeck-Does_Transparency_Matter.pdf. Mazer, R. “Kenya’s Rules on Mobile Money Price Transparency Awareness Are Paying Off.” CGAP Blog, April 4, 2018. Mazer, R., and K. McKee. “Consumer Protection in Digital Credit” (Focus Note 108). Consultative Group to Assist the Poor, 2017. https://www.cgap.org/sites/default/files/Focus-Note-Consumer-Protection-in- digital-Credit-Aug-2017.pdf. Mazer, R., and P. Rowan. “Competition in Mobile Financial Services: Lessons from Kenya and Tanzania” (Working Paper). Consultative Group to Assist the Poor, 2016. https://www.cgap.org/sites/default/files/ Working-Paper-Competition-in-MFS-Kenya-Tanzania-Jan-2016.pdf. Mazer, R., J. Vancel, and A. Keyman. “Finding ‘Win-Win’ in Digitally-Delivered Consumer Credit.” CGAP Blog, January 13, 2016. https://www.cgap.org/blog/finding-win-win-digitally-delivered-consumer-credit. McKee, K., et al. “Doing Digital Finance Right: The Case for Stronger Mitigation on Customer Risks” (Focus Note 103). Consultative Group to Assist the Poor, 2015. https://www.cgap.org/sites/default/files/Focus- Note-Doing-Digital-Finance-Right-Jun-2015.pdf. Megaw, N. “Peer-to-Peer Groups Battle to Survive More Hostile Market.” Financial Times, June 9, 2019. https://www.ft.com/content/275c7d6a-8880-11e9-97ea-05ac2431f453. References  157 MicroSave. “Making Digital Credit Truly Responsible.” Center for Financial Inclusion, September 2019. https://content.centerforfinancialinclusion.org/wp-content/uploads/sites/2/2019/09/Digital-Credit- Kenya-Final-report.pdf. MicroSave. “Where Credit Is Due: Customer Experience of Digital Credit in Kenya.” Center for Financial Inclusion, March 2017. https://www.microsave.net/wp-content/uploads/2018/10/Where_Credit_Is_Due_ Customer_Experience_of_Digital_Credit_In_Kenya.pdf. Morawczynski, O. “Fraud in Uganda: How Millions Were Lost to Internal Collusion.” CGAP Blog, March 11, 2015. https://www.cgap.org/blog/fraud-uganda-how-millions-were-lost-internal-collusion. Morita, H. 2016. “Crowdfunding in Japan: Current Regulation and the Future of Business.” SSRN, March 21, 2016. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2752312. New, J., and D. Castro. “How Policymakers Can Foster Algorithmic Accountability.” Center for Data Innovation, 2018. http://www2.datainnovation.org/2018-algorithmic-accountability.pdf. OECD (Organisation for Economic Co-operation and Development). Financial Consumer Protection Policy Approaches in the Digital Age—Protecting Consumers’ Assets, Data and Privacy. OECD, 2020. https:// www.oecd.org/daf/fin/financial-education/Financial-Consumer-Protection-Policy-Approaches-in-the- Digital-Age.pdf. OECD. G20 High-Level Principles on Financial Consumer Protection. OECD, 2011. https://www.oecd.org/ daf/fin/financial-markets/48892010.pdf. OECD. Recommendation of the Council on Artificial Intelligence (OECD/LEGAL/0449). OECD, 2019. https:// legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449. OECD. Recommendation of the Council on Consumer Protection in the field of Consumer Credit (OECD/ LEGAL/0453). OECD, 2019. https://www.oecd.org/finance/financial-education/Recommendation-FCP- Consumer_Credit.pdf. OECD. Short-Term Consumer Credit: Provision, Regulatory Coverage and Policy Responses. OECD, 2019. http://www.oecd.org/daf/fin/financial-education/Short-term-consumer-credit-report.pdf. OJK (Otoritas Jasa Keuangan). “OJK Issues Regulation on IT-Based Lending Services,” press release SP 01/DKNS/OJK/I/2017, January 10, 2107. https://www.ojk.go.id/en/berita-dan-kegiatan/siaran-pers/ Documents/Pages/Press-Release-OJK-Issues-Regulation-on-It-Based-Lending-Services/SIARAN%20 PERS%20POJK%20%20%20%20FIntech-ENGLISH.pdf. Owens, J. “Responsible Digital Credit.” Center for Financial Inclusion, 2018. https://content. centerforfinancialinclusion.org/wp-content/uploads/sites/2/1970/01/Responsible_Digital_Credit_ FINAL_2018.07.18.pdf. Oxera. Crowdfunding from an Investor Perspective. Oxera, 2015. https://ec.europa.eu/info/sites/info/files/ file_import/160503-study-crowdfunding-investor-perspective_en_0.pdf. Rahman, R. “‘They Terrorized Me Every Day’: Fintech Debtors Tell of Abuse.” The Jakarta Post, November 6, 2018. https://www.thejakartapost.com/news/2018/11/06/they-terrorized-me-every-day-fintech-debtors- tell-of-abuse.html. Reserve Bank of India. Report of the Working Group on FinTech and Digital Banking. Reserve Bank of India Central Office, 2017. https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/ WGFR68AA1890D7334D8F8F72CC2399A27F4A.PDF. Reserve Bank of Zimbabwe. “Cash-In, Cash-Out and Cash-Back Facilities,” press statement, October 2, 2019. https://www.rbz.co.zw/documents/press/Press-Statement---02-October-2019.pdf. Reuters. “Regulatory Problems Have Choked China’s P2P Lending Industry.” The Japan Times, September 6, 2019. https://www.japantimes.co.jp/news/2019/09/06/business/regulatory-problems-choked-chinas- p2p-lending-industry/. Reynolds, T., M. Klawitter, C. L. Anderson, P. Biscaye, K. Callaway, M. Greenaway, D. Lunchick-Seymour, M. McDonald, and A. Hayes. “Review of Digital Credit Products in India, Kenya, Nigeria, Tanzania, and Uganda.” Evans School of Policy Analysis and Research, April 2017. https://evans.uw.edu/wp-content/ uploads/files//EPAR_UW_351a_Review%20of%20Digital%20Credit%20Products_4.12.17.pdf. Safaricom. “Update on April 24th Network Outage,” press release, April 25, 2017. https://www.safaricom. co.ke/about/media-center/publications/press-releases/release/355. Samitsu, A. “Structure of P2P Lending and Investor Protection: Analyses Based on an International Comparison of Legal Arrangements” (Bank of Japan Research LAB No17-E-6). Bank of Japan, October 23, 2107. https://www.boj.or.jp/en/research/wps_rev/lab/lab17e06.htm/. SEC (USA Securities and Exchange Commission). “Facilitating Capital Formation and Expanding Investment Opportunities by Improving Access to Capital in Private Markets: A Proposed Rule by the Securities and Exchange Commission on 03/31/2020.” Federal Register, March 31, 2020. https://www.federalregister. gov/documents/2020/03/31/2020-04799/facilitating-capital-formation-and-expanding-investment- opportunities-by-improving-access-to-capital. SEC. “Final Rule: Crowdfunding”, Release Nos. 33-9974; 34-76324; File No. S7-09-13, RIN 3235-AL37, March 25, 2015. https://www.sec.gov/rules/final/2015/33-9974.pdf. 158   Consumer Risks in Fintech SEC. “Investor Bulletin: Be Cautious of SAFEs in Crowdfunding.” US Securities and Exchange Commission, May 9, 2017. https://www.sec.gov/oiea/investor-alerts-and-bulletins/ib_safes. SEC. “SEC Proposes Rule Changes to Harmonize, Simplify and Improve the Exempt Offering Framework,” press release 2020-55, March 4, 2020. https://www.sec.gov/news/press-release/2020-55. SEC. “Updated Investor Bulletin: Crowdfunding for Investors.” US Securities and Exchange Commission, May 10, 2017. https://www.sec.gov/oiea/investor-alerts-bulletins/ib_crowdfunding-.html. Securities and Exchange Commission (Brazil). Public Hearing Notice SDM No. 02/2020. Shin & Kim. “National Assembly Passes New Law for P2P Lenders, Becoming the First of Its Kind to Provide Legal Basis for Marketplace Lending.” Lexology, November 7, 2019. https://www.lexology.com/library/ detail.aspx?g=dd7ef79a-5c8d-4462-963f-229db56435fd. The Smart Campaign. “Tiny Loans, Big Questions: Client Protection in Mobile Consumer Credit.” Center for Financial Inclusion, 2017. https://www.centerforfinancialinclusion.org/smart-brief-tiny-loans-big- questions. The Smart Campaign. “Standards of Protection for Digital Credit.” Center for Financial Inclusion, June 2019. https://www.smartcampaign.org/storage/documents/Digital_Credit_Standards_June_2019.pdf. Stanbic Bank Uganda, MTN Uganda, and Airtel Uganda. “System Incident Impacting Bank to Mobile Money Transactions,” press statement, October, 5, 2020. https://www.mtn.co.ug/press-statement/. Staschen, S. “Basic Regulatory Enablers for Digital Financial Services” (CGAP Focus Note). Consultative Group to Assist the Poor, May 2018. https://www.cgap.org/research/publication/basic-regulatory- enablers-digital-financial-services. World Bank Group. Capital Markets and SMEs in Emerging Markets and Developing Economies: Can They Go the Distance? World Bank Group, 2020. https://openknowledge.worldbank.org/ handle/10986/33373. World Bank Group. Global Experiences from Regulatory Sandboxes. World Bank Group, 2020. https:// openknowledge.worldbank.org/handle/10986/34789. World Bank Group. Global Financial Inclusion and Consumer Protection Survey: 2017 Report. World Bank Group, 2017. https://openknowledge.worldbank.org/handle/10986/28998?locale-attribute=en. World Bank Group. Global Findex Database 2017: Measuring Financial Inclusion and the Fintech Agenda. World Bank Group, 2017. https://openknowledge.worldbank.org/handle/10986/29510. World Bank Group. Good Practices for Financial Consumer Protection: 2017 Edition. World Bank Group, 2017. https://openknowledge.worldbank.org/handle/10986/28996. World Bank Group. The Next Wave of Suptech Innovation: Suptech Solutions for Market Conduct Supervision. World Bank Group, 2021. http://documents.worldbank.org/curated/ en/735871616428497205/The-Next-Wave-of-Suptech-Innovation-Suptech-Solutions-for-Market- Conduct-Supervision World Bank Group. Prudential Regulatory and Supervisory Practices for Fintech: Payments, Credit and Deposits. World Bank Group. 2019. https://openknowledge.worldbank.org/handle/10986/33221. World Bank Group and CCAF (Cambridge Centre for Alternative Finance). Regulating Alternative Finance: Results from a Global Regulator Survey. World Bank Group, 2019. https://openknowledge.worldbank. org/bitstream/handle/10986/32592/142764.pdf. World Bank Group and International Committee on Credit Reporting. Credit Scoring Approaches Guidelines. World Bank Group, 2019. http://pubdocs.worldbank.org/en/935891585869698451/CREDIT- SCORING-APPROACHES-GUIDELINES-FINAL-WEB.pdf. World Bank Group and International Monetary Fund. The Bali Fintech Agenda—Background Paper. International Monetary Fund, 2018. https://www.imf.org/~/media/Files/Publications/PP/2018/pp101118- bali-fintech-agenda.ashx. Xiao, L. “Improving China’s P2P Lending Regulatory System: An Examination of International Regulatory Experience.” US-China Law Review 13 (2016): 460–73. https://pdfs.semanticscholar. org/11a2/06c0dbd2f55e49803c475ba0e178bfd79604.pdf. Ziegler, T., et al. Shifting Paradigms: The 4th European Alternative Finance Benchmarking Report. University of Cambridge, 2019. https://www.jbs.cam.ac.uk/fileadmin/user_upload/research/centres/alternative- finance/downloads/2019-04-4th-european-alternative-finance-benchmarking-industry-report-shifting- paradigms.pdf. Zimmerman, J., and S. Baur. “Understanding How Consumer Risks in Digital Social Payments Can Erode Their Financial Inclusion Potential.” CGAP Brief, March 2016. https://www.cgap.org/sites/default/ files/researches/documents/Brief-Understanding-How-Consumer-Risks-in-Digital-Social-Payments- March-2016.pdf. Investment-Based Crowdfunding   159