Mobile money ‘Mystery shopping’ as a regulatory measure.
East Africa’s FinTech scene is ‘boomin’. Major disruptive developments are identifiable: crowd funding is becoming an important part of corporate finance, mobile payment is growing fast, virtual currencies such as bitcoin are gaining popularity and algorithms are providing a new way of assessing credit-worthiness.
The main challenge in launching and expanding FinTech businesses is navigating the complex regulatory landscape, to understand, develop and implement a compliance and regulatory framework and to obtain the required regulatory permissions to get started.
To add on to my previous post I thought it would be useful to highlight the key compliance issues that FinTech firms should be focused on in 2017, whether they plan to revolutionize the delivery of a financial service, or simply provide a better mouse trap to existing industry players. FinTech investors also can use this post to ask questions of the companies they have or will invest in as a way to gauge whether management’s creativity extends to the concerns of key regulators.
Operating FinTech that is separate from regulation
Ideally before rolling out, a Fintech firm will have to undertake a detailed analysis of its business model against applicable financial regulation to fully understand what can be achieved without becoming a regulated entity, or, conversely, to help them seek appropriate licenses or approvals.
The Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) of 2009 introduced various obligations and restrictions on “financial institutions” as measures for combating money laundering. The extent to which the POCAMLA affects the operations of a Platform depends on whether the Platform falls within the definition of “financial institutions” or a “designated non-financial business”. POCAMLA defines financial institutions to include:
- any person who transfers funds or value through formal and informal channels;
- issues and manages means of payment including credit cards and electronic money; and
- engages in money and currency changing.
Cyber security issues continue to present compliance challenges for everyone, with reports of high-profile cyber events now a regular occurrence. FinTech firms are no exception to this trend. In fact, the intersection between cybersecurity and FinTech business models means that FinTech firms will likely find themselves increasingly in the cybersecurity “crosshairs” in 2017.
Laws and regulations governing the provision of financial services and products to consumers/retail investors are part of the FinTech competitive landscape. Depending on the nature of the particular product or service, firms may need to understand consumer protection is a constitutional right and that a customer includes a natural person or a company which the firm may contract with or would offer its services to.
Opportunity & outlook
The momentum of the tech boom should build a good platform for potential capacities of FinTech firms in the East African region. Networking, know-how and resources sharing between start-ups, investors and established players on the market are essential for the success of startups.
Firms should also recognize that as they become more successful, regulators such as the CBK will increasingly turn their attention to FinTech. The areas highlighted above may provide the lens through which regulators will seek to further regulate FinTech. Even firms that only provide their technologies to others will feel the pressure from vendor management requirements.
Speed and reliable partnerships are key to success. To deal with the legal issues, a reliable partner makes a difference. Regulation is a hurdle but a solvable one.
On 22nd September 2016, Yahoo confirmed a cyber-attack in which over 500 million personal accounts were compromised. This was arguably the largest cyber security breach in history. The information obtained by the hackers includes names, email addresses, telephone numbers, dates of birth and in some cases, security questions and answers. This comes in the wake of the on-going merger with Verizon Communications in which Yahoo is selling its core business (search, email and messenger assets as well as advertising technology tools) for USD 4.8 Billion.
While not as embarrassing to its members as the Ashley Madison hack from 2015, this recent event raises a good prompt to question whether Kenyan law is relevant to the internet. What if Yahoo was a Kenyan company? What would be the legal outcome of this breach?
Kenya’s legislature is attempting to keep up with evolving cyber security issues. Existing law does not impose any sanction or penalty on to the Kenyan equivalent of Yahoo however there are three bills which would change this.
The Data Protection Bill 2013, the Computer and Cyber Crimes Bill 2016 (CCC) and the Cyber Security and Protection Bill 2016 (CSP) are based on the equivalent laws in South Africa and the UK and aim to incentivize companies to increase their internet security and to prohibit certain acts in the use of the internet. It is unclear if, or when, they will become law.
The Data Protection Bill aims to regulate the collection, retrieval, processing, storing, use and disclosure of personal data. The Bill proposes that all companies will be required to put in measures to protect data against loss, destruction and manipulation. Failure to put in adequate security measures will attract a penalty of 100,000 Kenya Shillings or to imprisonment of 2 years or both.
The CSP and the CCC share the same vision of regulating cyber crimes but adopt competing methods to try and deal with this issue. The CCC is a Government Bill whereas the CSP is privately sponsored, so there is currently no clarity on when or if these bills will be progressed.
The CSP aims to establish a Response Unit in the ICT Ministry to receive and investigate reports on cyber threats. The CCC proposes additional investigative procedures for police officers.
The CSP proposes an information sharing mechanism between public and private companies (and with each other) whereas the CCC is seeking to improve international co-operation for prosecuting cyber crimes. Broadly, the goal of both bills is to hasten investigations and prosecution of cyber crimes.
Relevantly for corporations, the CSP would require a company suffering a cyber-breach to report it to the Response Unit within 7 days of it occurring. Failure to do so will be an offence. Worryingly, for corporations, there is no element of knowledge to trigger the 7 day reporting requirement. A company could be in breach of this provision if it were hacked and did not discover this fact for a significant period of time. As mentioned above, the CSP bill does not currently have government support and so its chance of becoming law is not high. However, its existence, and the Government’s CCC bill shows that the Kenyan legislature is moving towards regulating and imposing penalties in this area. It is only a matter of time before one of these bills is enacted.
Separate to the legal outcomes, from a commercial perspective, a cyber-attack is bad for business. Yahoo not only faces potential class action suits, and reputational damage but the likelihood of the hack being a deal breaker on the merger with Verizon is high. With the potential for new legislative penalties in Kenya on the horizon, companies should place data protection and cyber-security on their risk management agenda sooner rather than later and before a cyber-breach occurs, not as a result of one.
Below is a clip on simple cyber security tips we can all embrace from the Herjavec Group a cyber security firm.