Practice

Data Protection

DFSPs commit to only collecting end user data for purposes that benefit or reduce harm to end users and to safeguarding that data. Security of any data submitted by DFSPs to the Scheme also needs to be kept secure. Scheme rules and approaches to Data Protection are well aligned with relevant regulations related to collection, storage, and usage of end user data, including personally identifiable information.

Safe Payments

Scheme ensures that users can conduct their transactions safely

Review Principle

How to Implement

Guidance

Ensure data privacy.

The Scheme rules align with all data privacy regulations. Data privacy rules ensure that end user data is collected in a transparent manner, with consumers’ knowledge, and is limited to data necessary to operate and enhance the Scheme for end users’ benefit (e.g., confirmed fraud reporting, gender disaggregated data).

Minimize end user identifying data in transactions.

Scheme rules should require DFSPs to annually certify that no personally identifiable end user information is carried in the payment transaction, unless provided by the payee and as required by regulation. Any data that is collected is retained only for the length of time it is required, and in line with relevant regulations.

Leverage APIs to minimize personal information in transactions.

Where personal information is needed, consider using API calls to perform validation of this data so that it does not need to travel with the transaction. 

Protect data through data security measures.

The Scheme establishes reasonable data security procedures and controls, in line with relevant regulations, to ensure that all data that passes through the Platform is stored and transmitted in a way that prevents access and use by unauthorized parties. The Scheme requires DFSPs to also establish such procedures and controls.

Plan what should happen when something goes wrong.

Scheme rules should specify the circumstances (and process for) DFSPs to report potential disclosure of end user data due to security breaches along with any mandatory actions to be taken if a data leak occurs.

Why It Matters

This helps ensure that end users’ data is collected and used for the agreed upon purpose only and that the data is protected by DFSPs and the Scheme. These efforts to ensure data privacy and security encourage adoption and use by building trust through a safe Inclusive IPS.

Seeing More Clearly

Select a lens to learn the “why” this practice.

Women’s Inclusion

Low-income women are particularly vulnerable to misuse of their private data that can lead to harassment, incidence of fraud, and other safety concerns and thus benefit from strong data privacy policies and rules. Ensuring that DFSPs minimize data to limited purposes and ones that benefit women and secure the data are essential to building women’s trust in the Inclusive IPS.

Fraud Mitigation

Payment messages often capture and transmit rich data elements including sometimes personally identifiable information on end users. Sharing of that data, even for fraud mitigation, requires controls to protect end user privacy and DFSP data confidentiality.

A woman purchases a necklace using mobile money in Rwanda.

Tools

Related Resources

From the Community

Helpful resources from other organizations on implementing this practice.

    PDF | World Bank

    Proxy Identifiers and Databases in Payments (Part of the World Bank Fast Payments Toolkit)

    Report explaining proxy identifier and database types, as well as considerations for proxy identifier desig

    View

Explore more practices

Review other L1P practices and learn more about how to apply them to your IPS.

See the Practice Library
A woman uses mobile money to purchase fruit at a market in Rwanda.