Open Finance is a relatively new concept that is built on the principle of consumers owning the data they create on financial service providers’ platforms. Consumers would be able to give their consent for their data to be shared with licensed third-party providers who in turn will use the data to develop and offer innovative products and services in a safe and ethical manner. In December 2020, the FSCA published a consultation paper on Open Finance with a view to engaging stakeholders and developing a policy position on the subject.

The type of customer data includes all consumer financial services data relating to savings, debt, investments, pensions, insurance, payment transactions, lending, savings, and deposits. Open Finance has the potential to increase competition, promote financial inclusion and access, create new business models, drive financial innovation, and ultimately improve the customer experience. The conduct regulator has identified 5 initial key uses where open finance may be applied, namely.

 

• Account Aggregation – accounts are aggregated into a single interface for customer to have a single view across FSPs with whom they do business.
• Payments – third party providers making payments to merchants on behalf of customers.
• Alternative Lending – assessment of credit scores and affordability and determining appropriate lending products.
• Insurance –identify personalised and best priced insurance products for customers; and
• Financial Management Tools – offer business and personal financial planning and analytical tools to assist in the management and tracking of finances.

 

The global pandemic has increased the rate of digital adoption, and catapulted fintechs into the mainstream. Customers are more willing to share their data in the hopes of having an improved customer experience as well as getting the best possible deal and as such fintechs are currently well positioned to benefit from the development of Open Finance.

In a press release titled “Fintech Innovation in South Africa in the era of data security and protection” the FSCA indicated that the use of non-traditional data is on the rise in South Africa and the move to more online business means that greater risks have been introduced and require mitigation and focus. Some of the risks highlighted, include –

• data privacy or data misuse – stemming from the large volumes of data that will be exchanged and aggregated by financial services providers.
• cyber security risk – due to large data flows there is an increased risk of information system vulnerability.
• customer adoption – there may be reluctance depending on digital literacy and consumer education; and
• complexity of development – the need for financial services providers to adopt APIs to exchange data may be complex.

 

Financial regulators are focused on developing a regulatory framework that will strengthen consumer education, licensing, supervision, and enforcement to combat new risks. Concerns around data privacy and cyber security in the financial innovation space are by no means novel and as such it is hoped that firms already operating in this arena are working towards ensuring adequate measures and risk management are in place to protect customers. Those who can adequately address and overcome these challenges will be able to unlock the benefits of Open Finance and other emerging innovations. 

 

The FSCA has made the following recommendation for the development of Open Finance in South Africa.

Recommendation 1 – Consent and Customer Protection

An Informed disclosure framework should be developed that is suitable for each target market and reflective of their digital literacy. Customers should be made aware of their rights to consent to the sharing of their data, informed of how it is being collected, shared, and used, as well as the right to withdraw that consent i.e., the right to be forgotten. They should also have the right to review, download and correct any inaccurate data.

Recommendation 2 – Dispute Mechanisms

FSPs, third party providers and customers should all have the ability to raise and resolve disputes between the parties. As such a complaints management process should be in place to enable the management of any disputes and issues.

Recommendation 3 – Standardisation

It is proposed that standards be set around Open APIs as the mechanism for sharing data to ensure interoperability, efficiency, and usability for all participants in the Open Finance value chain.

Recommendation 4 – Commercial Models

It is recommended that the customer financial data be shared with third parties at no fee. However, the FSP can still offer value added data sets and analytics to third parties on a commercial basis.

Recommendation 5 – Protection of Data

FSPs and third-party providers must implement a framework and take reasonable steps to prevent data privacy breaches and data misuse in compliance with the requirements of the Protection of Personal Information Act (POPIA). The framework should also cover data ethics to ensure that algorithms applied to data do not lead to unfair discrimination.

It is not known if Open Finance in South Africa will be made compulsory for FSPs as is the case in the UK, or whether it will be voluntary, however, it is envisioned that third party providers will be required to be licensed in order to retrieve customer data from FSPs and be will be supervised as regulated entities under the COFI Bill which is currently in its 2^nd draft form. It is expected that the feedback received from this consultation paper will be incorporated into the policy development process and thereafter within the course of 2021 the regulator’s position and frameworks will be incorporated into the COFI Bill.

 

Open Finance is a relatively new concept that is built on the principle of consumers owning the data they create on financial service providers’ platforms. Consumers would be able to give their consent for their data to be shared with licensed third-party providers who in turn will use the data to develop and offer innovative products and services in a safe and ethical manner. 

In December 2020, the FSCA published a consultation paper on Open Finance with a view to engaging stakeholders and developing a policy position on the subject.

The type of data includes all consumer financial services data relating to savings, debt, investments, pensions, insurance, payment transactions, lending, savings, and deposits. Open Finance has the potential to increase competition, promote financial inclusion and access, create new business models, drive financial innovation, and ultimately improve the customer experience. The conduct regulator has identified 5 initial key uses where open finance may be applied, namely.

• Account Aggregation –accounts are aggregated into a single interface for customer to have a single view across FSPs.
• Payments – making payments to merchants on behalf of customers.
• Alternative Lending –assess credit scores and affordability and determines appropriate lending products.
• Insurance –identify personalised and best priced insurance products; and
• Financial Management Tools – offer business and personal financial planning and analytical tools to assist in the management and tracking of finances.

The global pandemic has increased the rate of digital adoption, and catapulted fintechs into the mainstream. Customers are more willing to share their data in the hopes of having an improved customer experience as well as getting the best possible deal and as such fintechs are currently well positioned to benefit from the development of Open Finance.

In a press release titled “Fintech Innovation in South Africa in the era of data security and protection” the FSCA indicated that the use of non-traditional data is on the rise in South Africa and the move to more online business means that greater risks have been introduced and require mitigation and focus. Some of the risks highlighted, include –

• data privacy or data misuse – stemming from the large volumes of data that will be exchanged and aggregated by financial services providers.
• cyber security risk – due to large data flows there is an increased risk of information system vulnerability.
• customer adoption – there may be reluctance depending on digital literacy and consumer education; and
• complexity of development – the need for financial services providers to adopt APIs to exchange data may be complex.

 

Financial regulators are focused on developing a regulatory framework that will strengthen consumer education, licensing, supervision, and enforcement to combat new risks. Concerns around data privacy and cyber security in the financial innovation space are by no means novel and as such it is hoped that firms already operating in this arena are working towards ensuring adequate measures and risk management to protect customers. Those who can adequately address and overcome these challenges will be able to unlock the benefits of Open Finance and other emerging innovations. 

Following on from the “Position Paper on Crypto Assets” published in March 2020, the FSCA last week announced the release of the “Draft Declaration of Crypto Assets as a Financial Product”. In the Position Paper five specific use cases for crypto assets in South Africa were identified and 30 Recommendations were made for a unified and risk-based approach to crypto asset regulation in South Africa. You can find more information on all 30 Recommendations in our Insight titled “Policy Development for Crypto Asset Regulation in South Africa.

 

The “Draft Declaration on Crypto Assets as a Financial Product” gives effect to Recommendations 9 and 10 in the Position Paper which state that the buying and selling of crypto assets, and activities related to buying and selling of crypto assets should be classified as financial services and that the FSCA should become the responsible authority for licensing of these services. Anyone conducting activities that fall within its scope will therefore be required to be authorised by the FSCA and comply with the requirements of the FAIS Act such as client risk assessment and adequate disclosures. They will be required to comply with the General Code of Conduct for FSPs and the Fit & Proper requirements where these are deemed to be appropriate. Once the COFI Bill comes into force it will repeal the FAIS Act and any other regulatory developments that have been put in place around the regulation of crypto assets such as this draft declaration will be captured and absorbed into the COFI Bill. The second Draft of the COFI Bill was also published a few months ago and it is yet unknown when we can expect the final bill to come into effect.

This draft declaration is the first step towards implementing a regulatory framework around crypto assets and has been created to ensure adequate consumer protections are afforded to financial services customers. The draft does not cover the full scope of potential activities related to crypto assets and it is expected that these will be addressed more fully in the COFI Bill, however, the alignment of the Position Paper and the Bill is still under consideration and yet to be finalised.

Provisional arrangements have been put in place to accommodate businesses already providing services in scope of the declaration before the final declaration comes into effect. They will be required to apply for authorisation in terms of Section 8 in the FAIS Act within 4 months of the effective date of the final declaration and a failure to do so means such businesses must cease to operate.

The regulation of crypto assets in South Africa is an ongoing process and the extent to which the industry will be regulated going forward will be determined by systemic concerns as well as the need for the regulators to exercise one of their primary mandates to protect consumers. Despite the apparent breathing room that CASPs may have to comply they are best advised to start getting their houses in order sooner rather than later to ensure a smooth transition to the world of regulated services. 

The Draft Declaration is open for comments until 28 January 2021.

 

 

Mobile technology has certainly been a game changer for financial innovation in Africa, however some fintech players using this technology have gained notoriety for taking away from the gains of financial inclusion. The proliferation of digital lending platforms in Kenya has resulted in increased predatory lending practices, over indebtedness, customer harassment and shaming by debt collectors as well as rising data privacy concerns. Borrowers are required to give the lending app access to their phone contacts and social media as part of onboarding processes. This information is subsequently made available to or accessed by debt collectors who use it to contact family, friends, and colleagues of the borrower in pursuit of outstanding balances. The Central Bank of Kenya recently expressed deep concern around these practices and confirmed that a borrower had reportedly committed suicide due to over indebtedness and following intimidation and harassment by debt collectors.

Tala and Branch who are two top players in the digital lending sector in Kenya offer annualised interest rates of 152.4% and 132% respectively. An analysis by Microsave Consulting (MSC) showed that many Kenyan borrowers had a low understanding of pricing, terms and conditions and found themselves paying exorbitant interest on loans, and were also unaware of how their personal data was being used or shared.

Central Bank of Kenya Governor, Patrick Njoroge, said it was time to do the right thing and ensure that customers were protected, and proper oversight of financial innovation needed to be established.  The central bank also shared that it, alongside Treasury, was working on a new law to cover digital mobile lenders in efforts to curb the charging of excessive interest rates.

In November 2019, Kenya introduced a data protection law which complies with the EU GDP Regulations to further bolster investment in information technology. The law sets out how personal data can be handled, stored, and shared as well as the penalties for violation which include a fine of up to KSh2million or 2 years imprisonment.

In November 2018 Kenya published a draft Financial Markets Conduct Bill which, among other things which you can read in our Insights on this Bill, will introduce regulations around the provision of credit to retail customers and create a new market conduct authority.

In June 2020 the Central Bank of Kenya published the Central Bank of Kenya (Amendment) Bill with the principal objective and amending the Central Bank Act to allow the Central Bank to supervise and regulate digital financial products and services which includes digital credit providers and digital credit service providers.

Most recently in October 2020, the Central Bank of Kenya participated in a meeting with other Regulators, UN agencies, market actors and officials from 10 countries to launch the Dialogue on Global Digital Finance Governance to catalyze international and corporate governance innovations to ensure Big Fintech benefit all and are aligned with Sustainable Development Goals.

 

These regulatory developments and initiatives are reflective of the recognition that financial innovation although welcome and necessary to achieve the objective of financial inclusion, can not be left to operate unchecked. Ensuring fairness and consumer protection are also a key objectives of financial market regulators and as such there is a need to better regulate digital financial products and services in the interests of consumers. It is also clear that in the future big fintech companies may in future become systemically important and as such frameworks need to be developed to ensure that they practice good governance and that regulators have proper understanding and oversight over their activities while also allowing innovation to thrive. 

 Below are some examples of the revelations –

       1.       Between 2013 and 2014 HSBC is revealed to have permitted $80 million to move through its business despite being aware that the funds were associated with a Ponzi scheme and having submitted SARs to this effect to FinCEN. HSBC has also in the past received a fine of US$1.9 Billion following failures in their AML Programme.

       2.        JP Morgan may have helped a Russian mafia boss accused of drug trafficking, gun running and murder to move more than US$1Billion through the financial system. They failed to establish the ownership of an offshore firm with whom it did business between 2002 and 2013 and it was later determined that the entity’s parent company may have been owned by the mafia boss who was on the FBI’s Top 10 most wanted list.

       3.       Leaked documents suggest that billionaire associate and childhood friend of Vladimir Putin, Arkady Rotenberg, on whom the US and EU has imposed sanctions, may have evaded those sanctions using Barclays Bank. Barclays opened an account for a company called Advantage Alliance which was owned by Arkady Rotenberg and the account was used to transact and purchase millions of dollars’ worth of art.

Failures by other banks such as Standard Chartered and Deutsche Bank were also revealed in the leaks evidencing the extent of the failure of the AML Programmes in these institutions. The banks may have discharged their legal obligations by submitting their reports and taking no further action, however it will be interesting to see how the regulators respond to these assertions following the leaks. There are other consequences for the banks that have already started to become apparent.  HSBC shares in Hong Kong fell 4.4% to their lowest level since 1995, lower than its lowest point during the financial crisis. While Standard Chartered and Barclays dropped 5% and 6% respectively.

The revelations have caused negative market sentiment and significant reputation damage for the named institutions.

More details continue to emerge and have revealed transactions involving banks in South Africa, Kenya, Botswana, Guinea, Cameroon, Nigeria and beyond and how they enabled the flow of illicit funds. You may be wondering why African countries are reporting suspicious activity to US Regulators, so to provide some clarity the requirement is that suspicious transactions carried out in US Dollars must be reported to FinCEN even if the transactions did not take place on US soil. The requirements are extraterritorial in nature.

On 16 September 2020, FinCEN announced proposals to overhaul and enhance the effectiveness and efficiency of its AML Programme following the leaks.  This massive exposure begs the question as to whether it is prudent to expect the banks that derive profit from financial transactions to be the same entities that report and in turn halt these transactions. Is it a matter of the programme not being implemented effective or is there a need for an entirely new approach if there is any hope of making a serious impact against financial crime and terrorist financing? 

We will be following the developments as more revelations come to light regarding the impact of the FinCEN File leaks in Africa and the regulatory response to the revelations.

Under the Financial Sector Regulation Act the FSCA was given the mandate to regulate and supervise the conduct of banks in relation to the provision of financial products and services. As part of the FSCA’s work to fulfill its mandate to create a strong market conduct regulatory framework the regulator earlier this month published the Conduct Standards for Banks to ensure the fair treatment of banking customers. The need for Conduct Standards arose due to the identification of several poor outcomes experienced by customers in the banking sector over the last decade.

Our Insight titled COFI Bill – Spotlight on Consumer Protection and Treating Customers Fairly discusses the poor customer outcomes which necessitated the strengthening of market conduct regulation in South Africa. The regulator also took cognisance of market conduct issues that arose globally such as manipulation of the global foreign exchange markets by some large banks and the LIBOR manipulation scandal of 2012.  These local and international considerations have given rise to the publishing of the Conduct Standards as a first step to better regulating market conduct in the South African banking sector.

Market conduct regulation to date has its roots in the Treating Customers Fairly principles and the same applies to these Standards. They therefore do not supersede existing regulations and requirements but are meant to apply in addition to them. The approach will be a balance between principles-based and rules-based application which in certain circumstances gives banks of different sizes and complexity room to customise implementation to achieve the desired outcome.

Culture & Governance (effective March 2021) – appropriate governance policies, procedures and arrangements must be implemented to ensure that achieving good customer outcomes is central to the culture of an organisation. Corporate Governance requirements are not new to South African financial services. The Companies Act along with King IV and all its previous iterations have ensured that these practices are entrenched in how banks do business. What will need to be assessed is whether fair customer outcomes are reflected in the governance practices of all banks and how this if filtered and messaged in policies and procedures at all levels of the organisation.

Design & Suitability of Financial Products and Services (effective March 2021) – The design and suitability of financial products and services including advertising and distribution must have regard to the interests of the customers and must be monitored on an ongoing basis. Most banks have established New Business Initiative Assessment procedures in place that require the review of new products and services by all stakeholders including risk and compliance. The risk assessment of the product or service should include how the product or services meets Treating Customers Fairly principles and the process will typically requires senior management sign off before the product can be launched. If a bank does not have an existing or robust governance process in place to facilitate adequate consideration of customer outcomes for product development this will need to be put in place to meet the requirements of the Conduct Standards.

Advertising (effective March 2021) – Information provided to potential customers must be factually correct, clear, fair, and not misleading. Appropriate governance must be put in place around the approval of advertising and advertising methods to ensure that there is consistency with the requirements of the Conduct Standards. Records relating to advertising must be retained for 5 years after publication.

Disclosures (effective July 2021) – pre-sale, during the sale and post-sale customers should be provided with all the relevant information required to make an informed decision about the financial service and product being offered.  The onus is on the bank to take all reasonable steps to ensure that the customer is aware of all the relevant facts such as the benefits and risks, total costs and expected or actual returns, contractual obligations and recourse options available. Product Development, Compliance and Legal will need to work together to review the T&Cs and other client facing documentation to ensure that they meet the criteria and in particular, use plain language, are relevant to the nature and complexity of the product and not misleading. The Authority reserves the right to determine the form of disclosures that must be used for some products and services.

Complaints (effective July 2021) – banks must establish, maintain, and operate an adequate and effective complaints management framework to ensure fair treatment of complainants. This obligation extends to ensuring that third party service providers of the banks also have adequate complaint management processes in place. The nature of the complaints handling program must reflect the size and complexity of the bank as well as the nature of the products and services. Clear processes and procedures must be put in place for the investigation, resolution and reporting of complaints and data relating to complaints must be analyses and assessed to determine where improvements in customer outcomes can be achieved.

Refusal, Withdrawal or Closure (effective July 2021) – a bank may withdraw a service or terminate a relationship with a customer if it provides the customer with reasons and sufficient notice. Termination by the bank can be without notice if compelled by law or reasonably believes the product or service is being used for illegal purposes. A bank may not impose unreasonable barriers to exit for customers and must in fact assist the customer to terminate or transfer to another bank should they wish to do so.

 

The transitional periods for the requirements are either 8 months to 12 months which provides sufficient time for all the banks to bring their policies and procedures into compliance. This is more so the case because the TCF principles have been in play for several years and banks should already have some version of these requirements in place. The FSCA test the application of the standards through micro and macro supervision of banks comprised on off-site and onsite inspections, reporting and other engagement with the banks. 

On 23 June 2020, the Central Bank of Nigeria (CBN) issued the Exposure Draft of Regulatory Framework for Sandbox Operations. The framework details the establishment, rules and operations of a Regulatory Sandbox for the Nigerian Payment system and reflects the Central Bank’s commitment to promoting innovation in financial services. The CBN states in the press statement that it recognizes the growing consumer appetite for payment solutions and emerging technologies in financial services. Sandboxes have grown in popularity across the world as regulators use them as a means to monitor emerging innovations and gain insight for regulatory developments.

The Central Bank stipulates that the sandbox will be open to currently licensed financial institutions and fintech companies, as well as other fintech, technology and telecommunication companies wishing to test innovative payment products or services. Below we summarize the eligibility criteria and how the applications will be evaluated once the Sandbox is open for applications.

Participant Eligibility

Participation in the Regulatory Sandbox will require that the product or service meets the following criteria –

      1.  The product or service must be innovative with potential to

a.  Improve accessibility, customer choices, efficiency, security, and quality in the provision of financial services; or

b.  Enhance the efficiency and effectiveness of risk management in Nigerian Financial Institutions; or

c.  Address gaps in or open new opportunities for financial benefits or investments in the Nigerian economy.

       2.  Applicants must have completed an assessment of the adequacy and appropriateness of the product and be able to demonstrate the benefits of the product as well as an understanding of its associated risks.

       3.  Applicant must have the necessary resources and expertise to support the testing process, this includes resources for risk mitigation and controls.

       4.  The applicant should have a realistic business plan to deploy the product, service, or solution on a commercial scale in within Nigeria.

       5.  An applicant must conduct a risk assessment and identify potential risks to financial institutions and customers that may arise from the product and service and propose appropriate safeguards to address those risks

In its evaluation of applications, the Central Bank will consider the preservation of business practices, promotion of healthy competition, fair treatment of customers, compliance with AML regulations and confidentiality of customer information. Further to this the continued safety and reliability of the payment system and financial stability must be protected.

Specific Customer Safeguards

Innovators will need to put in place safeguards to ensure that they minimise detriment to customers participating in the testing process. The necessary safeguards will be unique to each test but will include, and are not limited to, some the following –

1.       Limiting the number of customers participating and limiting the type and size of transactions.

2.       Obtaining written consumer consent to participate in the testing and implementing additional requirements around protecting customer information

3.       Disclosing risks to customers and ensuring that they have understood and accepted those risks

4.       Limiting testing period to 6 months per cohort (with the possibility to apply for an extension)

5.       Providing consumer redress mechanisms e.g. compensation for loss or harm suffered

6.       Adequate and competent resources to undertake testing and risk mitigation.

Applicants for the Regulatory Sandbox will apply for participation through the CBN’s Regulatory Sandbox online application form and submit along with the forms all relevant supporting documentation as listed. Applications will then be evaluated, and applicants advised of the outcome after 30 working days. There will be a single cohort each year and the number of innovators in each cohort will be determined by the resources available within the CBN to support the innovators. At any point during testing the Central bank may review and revoke a participant’s approval if it has any concerns around violation of laws, data breaches, consumer detriment or the innovator failing to address technical issues.

Post testing the participants will be required to submit a report to the CBN within 30 days of exiting the Sandbox detailing the following –

      1.   Key outcomes, key performance indicators against agreed measures and findings of the test

       2.  A full account of all incident reports and resolution of customer complaints

       3.  In the case of unsuccessful tests, lessons learned and how the firm intends to wind down the test.

Upon completion of testing the CBN will decide whether to allow or prohibit the product, service, or solution from being deployed into the market. This initiative means that Nigeria will join South Africa, Kenya, Uganda, Sierra Leone, Mauritius, Mozambique, Tanzania and Rwanda on the list of countries in Africa that have either launched or are in the process of launching Regulatory Sandboxes. Its clear the African regulators are embracing the wave of technological development in financial services and there may be exciting times ahead in terms of the development in the regulatory landscape. 

The Exposure Draft is open for comments and input until 15 July 2020.

Conduct of Business regulation focuses on how firms do business with their customers and includes looking at mandatory information disclosures, fair business practices, objectivity of advice and the general honesty and integrity with which firms operate. Financial regulation in Kenya is divided between the different sectors e.g.  insurance, banking, and capital markets, with each sector having its own specific regulator and governing legislation. The Financial Markets Conduct Bill will establish a new regulator called the Financial Markets Conduct Authority whose objectives shall be to protect all retail financial customers with respect to financial services and products to ensure fair competition and financial inclusion. Below we highlight six of the topics covered in the bill.

Introduction of Financial Conduct Licenses

Any person seeking to provide as a part of their business financial products or services to retail customers will be required to obtain a Financial Conduct License. A applicant for this license will need to meet certain criteria including but not limited a requirement for key persons and significant owners to meet fit and proper requirements, for the provider to have adequate risk and governance structures in place, adequate financial resources and be offering products and services that are in the best interests of customers. A failure to obtain a conduct license when a business is required to do so will constitute an offence and, upon conviction, the person will be liable to a fine of up to Kshs 10 million (approximately $95 000) or 5 years imprisonment.

Establishment of Conduct Rules & Regulations

The Cabinet Secretary will be empowered by the bill to make conduct rules to ensure that customers are treated fairly, and the risk of products and services being used for financial crime is mitigated. The rules will include requirements around measures to combat abusive practices; fair treatment of customers when it comes to marketing and promotion, distribution, advice and resolution of complaints and disputes; providing information to customers; governance in relation to the operation of governing bodies and the management of conflicts of interest; as well as financial management and establishment of control functions.

Regulation around the provision of credit

The Cabinet Secretary may make regulations prescribing standards and imposing requirements with respect to the provision of credit to retail customers. This includes requirements for provisions to be included in credit contracts such as the amount of credit involved, duration of contract, purpose for which credit is provided, borrowers obligations and repayment.

The regulations will also stipulate that lenders may not solicit customers to enter into credit arrangements or credit agreement variations and should only enter into a regulated credit contract when they have received a written application and have conducted an assessment of suitability and affordability. Further to this the applicant should be provided with a pre-contract statement detailing interest rates, any insurance required, fees, charges and any other costs under the contract, repayment dates and the total amount that will be repayable. The aim being to ensure that a customer is sufficiently informed and educated about the true cost of the credit arrangement prior to entering the credit contract.

A lender should not require a borrower to acquire specific goods and services from specific providers as a condition of the provision of services either at initiation or on an ongoing basis. The borrower also has the right to early repayment of the credit contract without penalty should they wish to do so. 

Interest RatesChargeable

A lender is not permitted to charge or attempt to charge any amount of interest that is more than the maximum rate prescribed by the Authority and may be fined up to Kshs 10 million if convicted of the offence. Further to this if a borrower defaults the total amount of interest, fees, charges, and costs, however described, shall not exceed the outstanding balance at the time of the default. These regulations along with the requirements around credit agreements aim to put a stop to predatory credit practices in the market.

 

Establishment of the Financial Sector Ombudsman

The Ombudsman is established to resolve complaints made by retail customers in relation to the provision of financial services products and services rendered to them by financial services providers. A complaint can be raised on the basis that a financial services provider has contravened a law, is in breach of contract, or has treated the customer unfairly and the Ombudsman will mediate the compliant and make a determination accordingly. Any determination made by the Ombudsman is binding on the provider.

Establishment of The Financial Services Tribunal 

The Tribunal will be established to hear applications in relation to reviewable decisions and provide directives. The Tribunal may set aside the decision; set aside and remit the matter to the decision make for further consideration; dismiss the application; or make any other order it deems just and necessary. Any party aggrieved by a decision of the Tribunal may make an appeal to the High Court.

It is unclear at this stage how this bill will work with existing laws and regulations to ensure a homogenized and consistent approach to conduct risk across financial services. The Central Bank of Kenya has expressed concerns that the Conduct Authority will infringe upon its mandate and curb the Central Bank’s ability to regulate fees and charges. The Finance Ministry has however assured that “there will be no overlap, duplication or contradiction whatsoever” and that the views of the Central Bank would be considered before the bill was presented to parliament.

There has been little movement since the bill was published in 2018 however we continue to keep a watchful eye on the regulatory landscape in Kenya.

 

 

 

We are in the middle of a global pandemic the likes of which has not been seen in the 21st century.  The whole world is navigating uncharted waters as we adapt to new ways of living and working in a bid to stop the spread of Corona Virus. Under pre-Corona, business as usual conditions, a Compliance Risk Management Plan (CRMP) would typically be reviewed annually, however it is also a dynamic document that must be responsive to changes in the operating and regulatory environment and updated when required. This would be such a time!

Immense changes have arisen in our operating environment as a result of the pandemic and the measures put in places to limit its impact. We expect that during this challenging time Compliance professionals have been getting on with the work of not only advising the business as it implements business continuity plans, but also reviewing their own risk assessments and reassessing the control environment to ensure that it is adequate and effective so that business continues in a risk managed way.

This Insight highlights some of the risk categories that may require reassessment by the Compliance team as a part of the review. It is by no means exhaustive but aims to illustrate the impact of the pandemic on the business of compliance management, and shows the importance of having an agile and adaptable Compliance function and a strong Compliance culture.

      Cyber Security Risk

As a social distancing measure many people are working from home and many companies are realizing that they can operate quite effectively in this manner and may implement remote working as a long-term strategy post Corona. IT Security policies need to adapt to this new way of working and have adequate controls in place to ensure that staff are observing all protocols to ensure devices are secure and protected from cyber threats like ransomware and theft of confidential data. Organisations need to implement monitoring and reporting mechanisms for employees who, when working outside of the office environment without immediate access to management oversight and advice, may become more vulnerable to social engineering or phishing threats.

 

       Data Protection

Proper document retention and disposal procedures are important in protecting the confidentiality of information held by organisations. Individuals may become more relaxed about leaving devices unlocked, documents in plain view, or disposing of company documents in an unsecured manner. Financial institution records are subject to mandated record retention periods and employees need to ensure that records in their possession that fall within the scope of these regulatory requirements are retained accordingly.

Access to information, even within an organisation, is on a need to know basis, and there is a risk of inadvertently sharing information across Chinese walls due to screen sharing and email forwarding which is more prevalent in the remote working set up.

 

      Third Party Oversight

Several organisations make use of third-party providers for various processes in their business and are required to maintain appropriate oversight. This is particularly so where the outsourced activity is deemed to be critical in nature and requires more robust risk assessment and monitoring. Lockdown and social distancing eliminates or restricts a critical tool in the oversight arsenal, that is, the ability of assurance providers like internal and external auditors to conduct onsite visits to assess risks and verify controls. This leaves the organisation in a position where it must place a heavy reliance on a third party’s self-assessment of its risks and controls, as well as the third party being forthcoming about any potential issues.

 

      New Business Initiatives

Product development, sales and post sales activities will need to adjust to a new way of doing business. The product approval process will require closer scrutiny of the risks described above as well as other risks brought about by the requirement to maintain social distance. This includes collection of KYC documentation from, and sales and post sales servicing for vulnerable customers like the elderly and people with comorbidities. Safe channels and practices for interacting with these clients need to be established.

 

      Treating Customers Fairly

Customers are feeling the financial impact of Corona Virus due to job losses and business closures. Financial institutions have responded to the call to provide debt relief and payment holidays to its customers and it is important to ensure that Treating Customer Fairly is at the heart of these relief initiatives. Customers must be given sufficient information to have a full understanding of the products and their suitability for their needs. The terms and conditions must be clear and fair to ensure that they do not find themselves in a worse off position. 

 

Customers who find themselves dissatisfied with a service provider may wish to submit a complaint. Due to support staff such as contact center agents being fewer in number during this time, responding to customer complaints may be delayed. A key component in the complaints handling process is timely investigation and resolution of customer complaints, in fact in some jurisdictions specific timelines are mandated for complaints handling and failure to meet these expectations is a regulatory breach.

Its is clear how the risk profile of a business has changed as a result of corona virus, now let us discuss what measures can be put in place to better manage these heightened risks.

       Governing Body Reinforcement of Compliance Culture

The Board is responsible for the governance of compliance in the organisation and is ultimately responsible for overseeing the management of compliance and setting the tone for the compliance culture of an organisation. It should be messaged through all levels of the organisation that despite social distancing and remote working, the culture of compliance must continue to be observed and upheld. The expectation should always be clear that despite remote working company policies such as the Code of Conduct continue to apply and should be followed strictly. If the Board determines that the organisation’s strategy or risk tolerance levels should be adjusted as part of the response to the pandemic, then this too should be adequately communicated throughout the organisation.

       Policy & Procedure Review

Existing policies must be reviewed and updated to ensure that they address the new way of doing business and incorporate procedures to mitigate increased or altered risks. The rationale and sign off of these changes in policies and procedures should also be captured as a part of the review process to ensure that the decision making can be supported if questioned in future. Employees in the organisation also need to be able to easily access and reference the new policies to allow them to operate effectively and with confidence that they are following the approved modus operandi. 

Training & Awareness Campaigns

Where existing policies and procedures are updated, or new policies introduced into the system, training should be provide to relevant staff to ensure that they are adequately empowered to deal with customers, operations, and complaints. Company wide awareness campaigns to reiterate heightened risk areas such as cyber security and data privacy, and the employees responsibilities in these areas will be critical in ensuring the organisation does not become more vulnerable to threats. Induction training and on-boarding processes for new hires will need to be reviewed and made more robust to make up for the lack of in person supervision by a manager.

       Adjust the Monitoring & Testing Plans

Monitoring plans are created from risks identified during the risk assessment process. Categories previously rated lower and then revised to higher risk rating will need to be reprioritised in the Monitoring Plan. Compliance focus will then be on monitoring and reporting on those risk areas and ensuring they are managed appropriately. The testing methodology itself will also need to be adjusted to ensure that it considers remote working and social distancing requirements.

Maintaining Relationships with Regulators

The maintaining a positive relationship with regulators is an important element in the implementation of any Compliance Management Plan. This requires early engagement on challenges being faced by an organisation such as meeting reporting deadline or handling complaints handling due to lack of employees, or a data breach incident due to remote working security issues. It is a matter of working with the regulator to achieve the best possible outcome with the least possible adverse impact on customers. The Regulator is adjusting to the pandemic as it unfolds and serves the purpose of ensuring the continued stability of the financial system and protection of customers.

It is unknown how long this pandemic will plague the world and what the working environment will look like going forward. What is clear is that the situation is developing and changing rapidly and as Compliance professionals working in this environment we need to be able to adapt and respond to this change in a way that allows us to effectively support the businesses we work in and retain the reputation of trusted advisor.

 

 

 

 

In a statement issued on 03 March 2020, the Central Bank of Nigeria (CBN) published the Draft Guidelines for the Regulation & Supervision of Micro-Finance Banks. These new guidelines aim to strengthen and support the development of the sector in Nigeria. A Micro-Finance Bank (MFB) is a company authorised by the CBN to carry on the business of providing financial services, such as savings, deposits, loans and domestic funds transfers, and their clients typically includes the economically active poor; low income households and the unbanked and underserved.

The guidelines also recognise the existence of credit only, membership based micro-finance institutions known as Non-Governmental Organisation Microfinance Institutions (NGO MFIs) which fall outside the scope of the CBNs regulatory authority. These institutions are non-deposit taking and are permitted to continue engaging in the activity of providing micro-credit to their target market and will not be impacted by these guidelines. However, should an NGO MFI wish to convert into a MFB it shall be required to comply with the provisions of the guidelines to obtain the requisite license and comply with all applicable provisions.

The Central Banks’ Micro-Finance Policy, Regulatory and Supervisory Framework was first issued in 2005 and then revised in 2011, and seeks to accomplish the following objectives 

• Make financial services accessible to the potentially productive market who would otherwise not have access to financial services
• Provide synergy and mainstreaming of the informal sub-sector into the national financial system
• Enhance service delivery by micro-finance institutions to micro, small and medium entrepreneurs
• Contribute to rural transformation by mobilising savings
• Promote linkage programmes between microfinance institutions (MFIs), Deposit Money Banks (DMBs), Development Finance Institutions (DFIs) and specialized Funding institutions.
• Create employment opportunities and increase the productivity and household income of the economically active poor and thus increases their standard of living
• Promote a platform for micro-finance service providers to network, exchange views and share experiences.

 

       The draft guidelines as issued seek to implement these objectives and below we highlight a few of the provision contained therein to achieve these outcomes.

Licensing Requirements  

The draft microfinance banking guidelines sets out 4 categories of micro-finance banking license and details the requirements that need to be met for a company to be permitted to operate in Nigeria. A company can be licensed as Tier 1 Unit – Urban Authorisation, Tier 2 Unit – Rural Authorisation, State Microfinance Bank, or a National Micro-Finance Bank. The application process and criteria for each category as well as permissible and prohibited activities are clearly defined in the guidelines. Any MFB that engages in a prohibited activity is in contravention of the regulations and this contravention constitutes grounds for the revocation of their license.

Every authorised MFB is also required to be a member of the National Association of Micro Finance Banks.

 

Corporate Governance Requirements

With respect to Corporate Governance requirements The CBN Code of Good Governance for Microfinance Banks shall be applicable to all categories of MFBs.  The revised Assessment Criteria for Approved Persons Regime for Financial Institutions will apply to all categories of MFBs except the Tier 2 Unit – Rural Authorisations for whom the minimum qualifications of top management will be assessed in terms of the governance provisions contained within the draft guide.

The Nigerian Code of Corporate Governance 2018 seeks to institutionalise corporate governance best practices in Nigerian companies and sets out the roles and responsibilities of the board including continuing education, corporate governance evaluation, and remuneration governance.  It requires a sound risk management framework and establishment of professional and ethical standards. The Code adopts a principles-based approach in specifying minimum standards that should be adopted. Where required companies should adopt the “Apply and Explain” approach which assumes application of all principles and requires entities to explain how they have been applied them to achieve the outcomes intended by the Code.

 

Compliance with Anti-Money Laundering Laws

Every MFB will be required to comply with the Money Laundering (Prohibition) Act 2011, Terrorism (Prevention) Act 2011 and the principles and procedures for Know Your Customer (KYC) and must appoint a designated Compliance officer of management level to ensure compliance with these laws. The MFB’s duties and obligations around anti-money laundering and terrorist prevention also include limitations on the acceptance of cash, customer due diligence and a duty to report suspicious activity.

 

Compliance with Cyber-Security Policies

With respect to cyber security, MFBs will be required to comply with the CBNs Risk-based Cyber-Security Framework & Guidelines for Deposit Money Banks and Payment Service Providers to ensure enhanced operational resilience and risk management. They are expected to take proactive steps to secure their critical information assets including customer information that is accessible from cyber space. An increase in cyber threat activity has been noted by the regulator and it is critical to the integrity of the financial system that all participants in the financial services market are well equipped to identify, manage and respond to such threats.

 

The implementation of CBN’s microfinance policy over the last 6 years has shown the impact the sector can have on poverty reduction, economic growth and financial inclusion. This framework aims to put in place protection, governance and best practices for this sub-sector of the financial services industry and to ensure it continues to grow and contribute to the national plan of financial inclusion for all.