FOCUS NOTE Basic Regulatory Enablers for Digital Financial Services Executive Summary Digital financial services (DFS) differ from traditional financial services in several ways that have major implications for regulators. The technology enables new operating models that involve a wider range of actors in the chain of financial services, from design to delivery. The advent of DFS ushers in new providers such as nonbank e-money issuers (EMIs), creates a key role for agents in serving clients, and reaches customers who have otherwise been excluded or underserved. This in turn brings new risks and new ways to mitigate them. For many years now, CGAP has been interested in understanding how these new models are regulated, and how regulation might have to adapt to enable DFS models that have potential to advance financial inclusion. This Focus Note takes a close look at four building blocks in regulation, which we call basic regulatory enablers, and how they have been implemented in practice. Each of the enablers addresses a specific aspect of creating an enabling and safe regulatory framework for DFS. Our focus is on DFS models that specifically target excluded and underserved market segments. We analyze the frameworks adopted by 10 countries in Africa and Asia where CGAP has focused its in-country work on supporting a market systems approach to DFS. The four basic enablers are as follows: Nonbank E-Money Issuance. A basic requirement is to create a specialized licensing window for nonbank 1.  DFS providers—EMIs—to issue e-money accounts (also called prepaid or stored-value accounts) without being subject to the full range of prudential rules applicable to commercial banks and without being permitted to intermediate funds. Use of Agents. DFS providers—both banks and nonbanks—are permitted to use third-party agents such as 2.  retail shops to provide customers access to their services. Risk-Based Customer Due Diligence (CDD). A proportionate anti-money laundering framework is adopted, 3.  allowing simplified CDD for lower-risk accounts and transactions. The latter may include opening and using e-money accounts and conducting over-the-counter (OTC) transactions with DFS providers. Consumer Protection. Consumer protection rules are tailored to the full range of DFS providers and 4.  products—providing a necessary margin of safety and confidence. Why the focus on these four elements? They arise consistently in CGAP’s experience working on DFS frameworks, and their importance underscored in research and policy discussions. There is wide agreement No. 109 that the four enablers are necessary (though not sufficient) conditions for DFS to flourish. This is not to May 2018 deny that DFS has emerged in some markets where one or more of the enablers are weak or missing. It is also not to say that in certain cases other enablers such as healthy competition or interoperability might be Stefan Staschen equally important. But experience strongly suggests that, in any given market, DFS is far more likely to grow and Patrick Meagher responsibly and sustainably and achieve its full potential when all four elements are in place. (Empirical research confirms some of these correlations.) Through our research, we aim to understand how a range of countries has addressed the four enablers in their regulatory frameworks and to see what lessons can be learned from their experience. The countries covered are Kenya, Rwanda, Tanzania, and Uganda in East Africa; Côte d’Ivoire and Ghana in West Africa; Bangladesh, India, and Pakistan in East Asia; and Myanmar in Southeast Asia. 2 Nonbank e-money issuance E-money accounts and their issuers use different names across the world, but the basic concept is often very similar. The first element in enabling nonbank e-money issuance is to incorporate the concept of e-money in the regulatory framework. E-money combines several functions such as facilitating payments and storing value electronically. A workable definition must squarely address these payment and deposit- like aspects. The second element is allowing nonbanks to issue e-money. This opens the DFS market to new providers such as mobile network operators (MNOs) and specialized payment services providers (PSPs), which are often more successful in reaching the mass market than are traditional banks. This step also brings such nonbanks (or their subsidiaries) under the authority of the financial services regulator—often the central bank. However, in some of the 10 countries studied, only banks may issue e-money. Typically, commercial banks are not the most efficient providers because of their high costs, which are partly attributable to heavy prudential and operational regulations. Nor is it recommended to permit all PSPs licensed under general payment regulations to issue stored-value accounts. E-money requires specific rules to protect funds collected from clients for future use. There is an essential difference in the risk profiles of pure fund transfers versus stored-value accounts. But banks and PSPs may become issuers if the regulations are sufficiently nuanced to afford proportionate safeguards and a level playing field. The third element is to delimit the range of permitted activities for EMIs. In general, EMIs may carry out core functions such as issuing e-money accounts, cash-in, cash-out, and domestic payments and transfers— but not financial intermediation (except, in a few countries, limited investments in government securities). The fourth element of the regulatory framework is to address the handling of customer funds converted into e-money (i.e., e-float), in the absence of a license to intermediate depositary funds. Rules in the countries studied require the e-float to be kept in safe, liquid assets. Regulations usually include standards that specify protection of the float funds through some combination of diversification, isolation and/or ring-fencing (from claims on the issuer), and safeguarding (from claims on the institution holding float deposits). Use of agents The viability of DFS depends on providers’ ability to outsource functions to agents—thereby extending their reach and capturing efficiencies. But this also heightens risks unless some key safeguards are put in place. One such safeguard has to do with relationships between providers and their agents. Allocation of legal responsibility is considered essential so as not to overburden the regulator with directly supervising a huge number of agents. DFS regulations in the countries studied make the principal (the DFS provider) liable for its agents’ actions within the scope of delegated responsibility (expressed or implied). In most cases, however, the regulations do not solely rely on this liability provision and set criteria for the form and content of the agency agreement. They also specify certain due diligence and risk management steps, such as requiring the principal to have appropriate internal controls and agent monitoring systems and to carry out ex ante and ongoing (or periodic) assessment of an agent’s risks. Another issue of concern to regulators is the eligibility of agents—that is, who can become an agent (or a certain type of agent). Most countries require all agents to be registered businesses, although this is not always followed in practice because it unduly restricts the number of potential agent locations. A few 3 countries allow individuals to serve as agents if they are educated, or if they have experience or businesses considered relevant. An issue related to competition, but also one that impacts outreach of agent networks, is whether agents can operate on behalf of multiple providers. Most of the countries studied prohibit exclusivity clauses in agency agreements that would bind an agent to a sole principal. Agent regulations also deal with the ongoing obligations of both agents and principals, and the security and reporting standards. Security and accuracy of client transactions and the reliability of the technologies involved are commonly addressed in agent regulations. Providing confirmation of transactions to the client is mandatory. Many countries prohibit agent transactions going forward where there is a communication failure. Regulatory frameworks take different approaches. The treatment of agents depends sometimes on the category of institution represented by the agent (e.g., bank or nonbank), sometimes on the type of account being handled (e.g., e-money or bank deposits), and sometimes on the activities performed by the agent (e.g., account opening or cash handling). Each approach raises distinct challenges in making regulation effective. Risk-based customer due diligence DFS operate within regulatory contexts shaped by policies on anti-money laundering and countering the financing of terrorism (AML/CFT). The challenge for financial inclusion is to ensure proportionate treatment using risk-based frameworks that protect the integrity of the system while imposing the least burden on DFS outreach. In discussing customer due diligence (CDD) standards adopted in the countries studied, we consider how effectively they implement Financial Action Task Force (FATF) guidance prescribing the use of simplified procedures in lower-risk scenarios. (Often the regulations refer only to the identification [ID] component of CDD, i.e., know your customer [KYC].) A common approach is the definition of risk tiers to which CDD procedures of varying intensity are applied. CDD rules typically focus on risks as determined by the features of the accounts or transactions provided, the types of clients, and the modalities of account opening and transacting (e.g., in-person or not). Most of the countries studied define two or three tiers (e.g., high, medium, and low risk). A major contextual factor in CDD/KYC is the development of national ID documentation and verification systems. Limited availability of official ID documents has constrained financial services outreach, and therefore—in line with FATF guidelines—policies have been adopted to adjust ID requirements on a risk basis. Parallel to this trend of increasing the range of accepted identification methods is an unrelated trend of increasing government investment in universal provision of ID equipped with biometric technology. The benefits of advances in ID systems may obviate the need to accept a broad range of identity documents, but not necessarily the need for tiered account structures. The latter are still required because of other components of CDD. Consumer protection Digital channels and the use of agents pose special customer risks because of the potential for communication failure, identity theft, lack of price transparency and access to recourse by the client, and fraud. Ensuring that DFS have the necessary reliability and public trust to become a pillar of inclusive finance means establishing effective consumer protection. Regardless of whether it must be fully in place before DFS can spread, such protection is a necessary part of ensuring a sustainable market with long-term benefits to financial inclusion. In practice, however, the rules in this area are often unclear and incomplete. 4 The piecemeal extension of consumer protections into specific domains of DFS and DFS providers has tended to create a patchwork of regulation. Transparency and fair dealing are core components of financial consumer protection (FCP) in DFS as in other areas. DFS providers are required to disclose fees, commissions, and any other costs to clients. Product information is to be posted at all service points and made available electronically. However, few of the 10 countries studied stipulate a standard disclosure format. The regulations usually mandate a written contract (which may be electronic), and sometimes impose a duty on the provider to explain key terms and conditions to the client before contract signing. Also, there are often fairness standards that require or prohibit certain contractual provisions. It is a cornerstone of accountability to customers and regulators, and thus a tenet of good practice, to require each provider to set up a system for handling customer complaints. The countries studied incorporate this principle into regulation and apply it in some form to DFS providers. Well-developed frameworks address issues such as facilitating access to the system and tracking complaints, response deadlines, and appeals. Along with issues common to all financial services, DFS consumer protection must also deal with the special risks of electronic transactions. Thus, a majority of the 10 countries impose some standard of service availability and/or digital platform reliability. Beyond this, regulation must balance the need for certainty of execution—nonrepudiation—against the need to allow for correcting mistaken or unauthorized transactions. The regulations may impose a general duty to inform customers of the need to protect ID and password information and the risks of mistaken transactions, or to specify how and under what conditions customers may demand revocation. Lessons of experience Some broad insights arise from the study. The experience of the African countries among the 10 countries shows the importance of EMIs—the first enabler. But this needs to be seen in light of a case such as India, where issuers (of what equates to e-money) are limited-purpose banks (called payments banks) that are subject to lower prudential requirements. Such an approach is certainly preferred to an approach where only commercial banks can issue e-money. The second enabler, the use of agents, seems to be the most consistently observed in practice. The liability of the principal for its agents’ actions is a key provision that allows the regulator to focus its attention on the principal. In most cases, there is substantial flexibility (as there should be) regarding who can be an agent. The third enabler, risk-based CDD/KYC, is strongly influenced by countries’ desire to strictly follow FATF guidance. The shift toward risk-based rules at global and national levels, combined with digital ID system developments, is starting to allow for greater DFS outreach, but at differing rates across countries. Consumer protection, the fourth enabler, comes into the picture rather late, because it has a more obvious role in ensuring sustainability than in jump-starting DFS markets. But its importance as a trust-building element is now widely recognized. Finally, it should be borne in mind that other conditions besides these enablers play a role in shaping DFS development, including policies in areas such as competition, data protection, and interoperability. A collective learning process is ongoing among policy makers and regulators, both within and across countries, as the frontier of good practice advances. Some of the countries studied (Myanmar) have only recently adopted specific regulations for DFS and have been able to learn from earlier experience of other countries. Others (Ghana) can look back on many years of experience with DFS regulation and learn from past mistakes. Still others (Pakistan) have been able to improve their regulatory framework gradually over time. 5 Introduction Four factors distinguish DFS in a financial inclusion— or digital financial inclusion—context from How can regulation encourage the use of sound, traditional financial services: (i) new providers such technology-driven methods to speed financial as e-money issuers (EMIs); (ii) heavy reliance on inclusion? What lessons can we learn from digital technology; (iii) agents serving as the principal experience in countries that have pursued this interface with customers; and (iv) use of the services goal? by financially excluded and underserved customers.5 Each of these factors has implications for digital It has been more than 10 years since CGAP first financial inclusion—and for regulating DFS. studied newly emerging models that use agents as alternative delivery channels and digital technology For many years now, CGAP has been monitoring how to connect customers to their financial services new DFS models are regulated, and how regulation providers. We called this branchless banking and might have to adapt to support or enable DFS models referred to those models that directly benefit with the potential to advance financial inclusion. the unbanked or underbanked population as In 2007, CGAP developed a list of “key topics in transformational branchless banking. 1 The regulating branchless banking” (Lyman et al. 2008). terminology has changed over the years, especially Four of these topics are now widely considered the to recognize the developments in relation to core building blocks of DFS regulation. This Focus services provided by nonbanks. Nowadays we Note takes a close look at these four basic regulatory prefer to use the broader terms digital financial enablers and how they have been implemented in services (DFS) and digital financial inclusion. But practice. We analyze the frameworks adopted by 10 the basic ingredients—agents and technology— countries in Africa and Asia where CGAP has focused remain the same. its in-country work on promoting a wider market systems approach to DFS.6 We define DFS as the range of financial services accessed through digital devices and delivered The four basic regulatory enablers through digital channels, including payment, credit, savings, and remittances.2 DFS can be offered The following enablers have guided CGAP’s by banks and nonbanks such as mobile network assistance in partner countries in creating operators (MNOs) or technology companies that appropriate regulatory frameworks for DFS: specialize in financial services (FinTechs). 3 Digital channels can be mobile phones, cards combined Enabler 1: Nonbank E-Money Issuance with card readers, ATMs, computers connected to A basic requirement is to create a specialized the internet, and others. Customers transact through licensing window for nonbank providers—EMIs. branches, but also through agents or remotely These entities accept funds from individuals for from their digital devices. They typically use basic repayment in the future (an activity normally transaction accounts targeted at the mass market reserved for banks) against the issuance of e-money (including e-money accounts, also called prepaid or accounts (also variously called prepaid or stored stored-value accounts), but also access services over value accounts), a type of basic transaction account. the counter (OTC). 4 EMIs may issue such accounts without being subject 1 The term “branchless banking” was first used in Lyman, Ivatury, and Staschen (2006). Porteous (2006) introduced the term “transformational”. 2 See, e.g., the AFI glossary (AFI 2016). We do not discuss specific issues in offering insurance products digitally. 3 We use the term “bank” to refer to any type of prudentially regulated deposit-taking financial institution unless otherwise indicated. 4 Compare a similar definition of DFS accounts in Arabehety et al. (2016). Our definition of transaction account is in line with the definition in the PAFI Report (CPMI and World Bank Group 2016): “Transaction accounts are defined as accounts (including e-money/prepaid accounts) held with banks or authorized and/or regulated PSPs, which can be used to make and receive payments and to store value.” 5 This list draws on GPFI (2016), but leaves out the factor of new products and services and their bundling, because the focus here is on many of the same products and services offered before. New products such as digital credit, crowdfunding, and bundled products would require a separate analysis. 6 This approach, described by Burjorjee and Scola (2015), focuses on the core determinants of supply and demand, including regulation and supervision as one of the functions supporting the core. 6 to the full range of prudential rules applicable to Enabler 4: Consumer Protection traditional banks—under the condition that they Financial consumer protection (FCP) rules are tailored do not intermediate the funds collected from their to the full range of DFS providers and products. It clients. This opens space to nonbanks that can might be argued that such FCP rules are not necessary provide basic financial services, potentially with for the emergence of a DFS market. It is nonetheless lower costs and greater efficiency. clear that basic rules in areas such as transparency, fair treatment, effective recourse, and service delivery Enabler 2: Use of Agents standards are needed to build consumer trust and Next, DFS providers—both banks and nonbanks—are create a safe and sound DFS sector in the longer term. permitted to use third-party agents such as retail shops to provide customers access to their services. Why the focus on these four elements? They arise This allows the use of existing third-party infrastructure consistently in CGAP’s experience working on DFS to create much wider access at relatively low cost. frameworks, and their importance is underscored in research and policy discussions. There is wide Enabler 3: Risk-based Customer Due Diligence agreement that the four enablers are necessary (though A proportionate anti-money laundering and not sufficient) conditions for DFS to flourish. This is not countering the financing of terrorism (AML/CFT) to deny that DFS has emerged in some markets where framework allows simplified customer due diligence one or more of the enablers are weak or missing, nor (CDD) for lower-risk accounts and transactions, such that other enablers, such as healthy competition or as opening and using basic transaction accounts or interoperability, might be equally important in some conducting low-value OTC transactions with DFS settings. But experience strongly suggests that, providers. This eases providers’ costs of customer in any given market, DFS is far more likely to grow acquisition, while making more people eligible to responsibly and sustainably to its full potential when access and use formal financial services. all four elements are in place.7 (See Box 1.) Box 1. The emerging consensus on regulatory enablers Following a seven-country study in 2007 (Lyman requirements are proportional to the risks of the et al. 2008), CGAP identified (i) the authorization to e-money business; and (iii) mobile money providers use retail agents and (ii) risk-based AML/CFT rules may use agents for cash-in and cash-out operations. as necessary, but not sufficient, preconditions for Furthermore, GSMA lists CDD requirements as one inclusive DFS, and classified several others as “next of the major obstacles to mobile money uptake. It generation” issues, including (iii) regulatory space for also stresses the importance of customer protection the issuance of e-money particularly by nonbanks; measures such as transparency, customer recourse, (iv) effective consumer protection; and (v) policies and privacy and data protection (Di Castri 2013).b governing competition.a The Regulatory Handbook by researchers from the GSMA characterizes countries’ regulatory frameworks University of New South Wales (Malady et al. 2015) on mobile money as “enabling” or “nonenabling” considers four factors relevant to creating an enabling according to criteria including the following: regulatory environment that are like those presented (i) nonbanks are permitted to issue e-money; (ii) capital in this Focus Note.c a The study also mentioned inclusive payment system regulation and effective payment system oversight. The creation of a competitive ecosystem can be regarded as a cross-cutting issue that is not only—and not even primarily—a matter of financial sector regulation. See Mazer and Rowan (2016), who looked at competition in MFS in Kenya and Tanzania. The competition issue most clearly overlaps with our basic enablers 1 and 2. In a recent report, the Center for Global Development makes a distinction between promoting competition and leveling the playing field, with the former addressing market failures and the latter distortions derived from regulations. The report considers these two and KYC rules as the three regulatory topics that matter most for financial inclusion (see CGD 2016). b But GSMA does not cite consumer protection as a necessary regulatory condition for DFS development. See also GSMA (2016). c They are (i) the protection of customers’ funds, (ii) the use of agents, (iii) consumer protection, and (iv) proportionate AML/CFT measures. 7 Empirical research confirms some of these correlations. See, e.g., Rashid and Staschen (2017), who looked at evidence from Pakistan; Evans and Pirchio (2015), who researched 22 developing countries and concluded that: “Heavy regulation, and in particular an insistence that banks play a central role in the schemes, together with burdensome KYC and agent restrictions, is generally fatal to igniting mobile money schemes.” 7 While there is broad agreement that these Approach and objective four enablers comprise the core of an enabling regulatory framework, the detailed content and The objective of our research was to understand sequence of specific policy changes are much how a range of countries have addressed the four less clear. Nor are the four enablers equivalent enablers in their regulatory frameworks and to see in terms of the type or scope of key regulatory what lessons can be learned from this experience. decisions that need to be taken under each to For this purpose, a granular analysis is required— make them effective. Enabler 1 is about creating of both policy and practice—that makes use of room for new players that might be better placed CGAP’s understanding not only of regulatory to serve the lower end of the market than existing issues across the 10 countries, but also of market banks. Enabler 2 permits the use of a new channel structure, provider dynamics, and demand-side (by old and new players) that leverages third-party issues. infrastructure. Enabler 3 addresses the specific challenges in serving new customer segments that The analysis is based on a review of relevant laws might previously not have been eligible or were and regulations from all 10 countries where CGAP too costly to serve. Enabler 4 stresses the changing has focused its in-country work (see Figure 1).9 The nature of consumer protection issues with new countries covered are Kenya, Rwanda, Tanzania, players and new delivery channels that have to be and Uganda in East Africa, Côte d’Ivoire and taken into account for healthy market development. Ghana in West Africa, Bangladesh, India, and Even where an enabler is already incorporated into Pakistan in East Asia, and Myanmar in Southeast a country’s legal framework, there may be need for Asia. 10 They figure among the most advanced improving its effectiveness, by continuously fine- DFS markets (with the exception of Myanmar),11 tuning regulations,8 and/or improving compliance and all but two (Rwanda and Côte d’Ivoire) are and enforcement through supervision. former British colonies that share the common law Figure 1. Countries covered in the research Bangladesh Côte d’Ivoire Ghana India Kenya Myanmar Pakistan Rwanda Tanzania Uganda   8 E.g., India adopted regulations on agents (referred to as business correspondents) in 2006, but has since enacted several amendments to mitigate some of the constraints under the early model.   9 As laws and regulations frequently change, this paper does not include a list of all legal texts consulted. To the best of our knowledge, we considered the state of laws and regulation as of January 2018. For a comprehensive library of DFS-related laws, regulations, and policies, see www.dfsobservatory.com. 10 Unless otherwise indicated, general statements in this paper apply to these 10 countries only. 11 According to the GSMA Mobile Money Tracker, all of them have five or more live mobile money deployments (keeping in mind that DFS is a broader concept than just mobile money). 8 tradition. While the group is hardly representative • Protecting customer funds converted into e-money of DFS markets in the developing world, it includes (i.e., e-float). diverse countries in terms of size, population, and economic structure. Our intent is to analyze the The legal basis for nonbank 1.1  experience of these 10 markets, and to share the e-money issuance lessons. The first step in enabling nonbank e-money issuance is to incorporate the concept in law or regulation.12 Based on legal analysis and our familiarity with the Banking laws are sometimes a bar to nonbank wider ecosystem, we distilled the most pertinent e-money issuance, due to the legal definition of issues relevant to each of the enablers. The banking business; hence, a specialized definition objective was not to come up with a complete of e-money as being distinct from deposit-taking is description of the regulatory framework in each essential.13 E-money accounts and their issuers have of the 10 countries (this would quickly become different names and regulatory headings across the outdated), but to explore commonalities and world. This can create problems of comparability, differences, highlighting the most interesting cases but the basic concepts are largely the same for each issue. everywhere. E-money combines functions such as  nabler 1: Nonbank 1 E facilitating payments and storing value electronically. e-money issuance A workable legal definition must squarely address these payment- and deposit-like aspects. For clarity, Our first basic regulatory enabler is a framework we use a common definition of e-money based on that allows nonbanks to issue a type of basic (digital) that used in the European Union for all 10 countries— transaction account—an “e-money account.” even if the terminology used in local law differs (see Allowing nonbanks to become licensed EMIs is Box 2). In fact, in some countries, the term “e-money” key to unleashing the DFS market and enabling it is not used at all. to achieve scale. Chief among nonbank providers in emerging markets and developing economies The second step is to allow nonbanks to issue (EMDE) are MNOs, who have large networks of e-money. The countries analyzed exhibit several agents and own the communication infrastructure approaches to determining who may be authorized that is key to delivering financial services. Absent a to issue e-money (see Table 1). The most framework permitting EMIs, DFS would continue to common approach is to recognize e-money as a rely on banks, which usually face heavy prudential product offered exclusively by payment service and operating requirements, have high costs and providers (PSPs), which generally include banks. complex organizational structures and IT systems, Kenya, Rwanda, and Tanzania, for instance, permit and limited outreach. Banks may also focus on only PSPs to apply to become EMIs. Having a higher-income market segments, to offset high operational costs. Box 2. E-money definition The following are essential components of the first According to the European Union (Directive 2009/110/EC, Art. 1.3) e-money is defined as: enabler: (i) electronically stored monetary value as represented by a claim on the issuer, (ii) issued • Setting basic parameters for the e-money account on receipt of funds for the purpose of making and EMIs. payment transactions, and (iii) accepted by a natural or legal person other than the electronic • Establishing licensing criteria and range of money issuer. permitted activities for EMIs. 12 In several cases, financial authorities have enabled e-money issuance without defining the concept in legislation (instead, issuing guidelines or no-objection letters). 13 In several countries, the acceptance of repayable funds (even without intermediation) fits the legal definition of banking activity, which prevents the emergence of EMIs. This was the case in Mexico until the adoption of its FinTech law in February 2018. 9 Table 1. E-money issuancea Institutions that may Banks: requirements for EMIs (nonbanks): further Country issue e-money e-money authorization requirements & limitsb Bangladesh “Mobile accounts” can only Banks to seek prior approval Only bank subsidiaries are be issued by banks or their for MFS; must submit full permitted (under the same rules subsidiaries. (EMIs allowed by details of services, contracts, as banks). (EMIs allowed by law law but not in practice.) agents, etc. but not in practice.) Côte Commercial banks and PSPs Commercial banks required EMIs must be dedicated d’Ivoire may issue but must notify only to notify regulator. companies and meet capital (WAEMU) regulator. MNOs must establish requirements: minimum 3% of dedicated subsidiary and apply outstanding e-money, and at for license as EMI. least equal to their minimum share capital requirements. Ghana Banks are authorized as EMIs, Submit plan for proposed If engaged in other activities, nonbanks licensed as dedicated operations, business plan, nonbank must create separate EMIs (DEMIs). geographical coverage dedicated legal entity for DEMI. Min. 25% local ownership India Issuance (open-loop PPIs) Banks/payments banks to No issuance by nonbanks. limited to banks and payments get RBI approval for open- banks. loop PPIs. Kenya Banks, PSPs, and other financial None MNOs must present telecom institutions authorized to issue license. PSPs to keep records e-money. PSP can be telecom and accounts for e-money company or a nonbank. activities. Myanmar Banks and nonbank financial Regulations do not specify, Dedicated company required to institutions including MNOs can only mention that they set up mobile financial services apply to provide MFS require product approval. provider. Nonbanks need letter of no-objection from primary (e.g., telecom) regulator. Pakistan Branchless banking accounts: Application: specify Provision for nonbank e-money Only Banks (Islamic, services and strategy, risk issuance under payments law, Microfinance, Commercial management, security, but no implementing regulations Banks). business continuity, etc. issued Rwanda Nonbanks must get license as Supervised financial Application: describe services, PSP. Commercial banks and institutions approved as governance, risk management, deposit-taking MFIs (supervised PSPs are exempt from IT infrastructure, consumer financial institutions), must be licensing, but must obtain policies, trustees, directors. approved as payment services further approval to issue providers to apply to issue e-money. e-money. Tanzania Only PSPs can issue e-money. Financial institutions need Nonbank PSPs require separate Nonbank PSPs must obtain PSP license to be eligible. dedicated entity. Application: license. PSPs that are financial Application: information on like financial institution, also, institutions require regulator’s services, governance, fund minimum capital, process/ approval. protection. system architecture, etc. Uganda Nonbank can become mobile Partner bank must apply for Limited company; submit money services provider (MMSP) approval to issue mobile financials, risk management, IT as partner of bank. Regulator money on behalf of the systems. The MMSPs (nonbanks) approves partner bank; mobile MMSP. manage mobile money platform. money is product of the bank. a. Some countries separately list banking institutions that are not commercial banks. These distinctions are indicated where relevant. b. EMI licensing requirements are often in addition to the requirements applied to banks seeking e-money authorization. 10 PSP certificate is a prior condition for obtaining bank can accept limited deposits, issue e-money, an e-money license (or authorization). Another and provide remittance services—but cannot approach is for the financial regulator to license EMIs extend credit.16 Payments banks are subject to as a separate, stand-alone category of institution. In less onerous licensing and prudential standards Myanmar, for example, becoming a mobile financial than commercial banks (though more onerous services (MFS) provider (functionally equivalent to than the typical EMI in other markets).17 Among an EMI) requires a registration certificate (e.g., a the promoters of the 11 entities that received “in license) issued under the broad authority of the principle” approval for a license from the central banking law. Côte d’Ivoire, as a WAEMU member, bank were MNOs, the India Post, and other also offers a stand-alone EMI license.14 In the nonbanks such as agent companies and prepaid approaches cited, policy makers create a regulatory payment issuers. niche, or adapt an existing one, to accommodate • In Pakistan, a nonbank e-money model has not the distinct features of e-money. been permitted either. However, MNOs have either bought majority stakes in banks or set up Some of the 10 countries, however, fall short greenfield banks to offer MFS in a de jure bank- of this second step by allowing only banks to based model. Further, these services can be issue e-money. In all 10 countries, banks may provided through microfinance banks, which become issuers, but as they are already licensed benefit from lighter requirements such as lower and supervised, they require approval only by minimum initial capital. the central bank to offer e-money accounts as • Bangladesh follows what is called a “bank-led an additional product. However, three of the model.” However, the fact that not only banks, but countries (India, Pakistan, and Bangladesh)15 have also bank subsidiaries are permitted to offer so- generally treated e-money issuance as analogous called “mobile accounts” has permitted the largest to offering deposit accounts, and thus limited it DFS provider in Bangladesh, bKash, to operate as to banks. a nonbank (but bank subsidiary), and thus follow a de facto e-money model.18 This is a case of The bank-only approach has a few variants, which reality overtaking the original regulatory intent is evidence that nonbanks still play a leading role in of restricting e-money issuance to the banking the DFS space, subject to a few limitations. system. • In India, the equivalent of e-money accounts— In yet another configuration, Uganda requires prepaid payment instruments (PPIs) that are EMIs to be tightly linked to banks—but not to open loop (i.e., can be used outside a restricted be banks. Ugandan EMIs (referred to as mobile network and redeemed for cash)—can be issued money services providers [MMSPs]) offer e-money only by banks. In addition, the central bank has services in partnership with a bank as the licensed created the new category of payments bank entity. The EMI itself is not a licensed institution, specializing in small savings and payments but is responsible for managing the mobile services. This “differentiated” or special-purpose money platform and agent network, and for 14 The West African Economic and Monetary Union is a regional jurisdiction that provides for, among other things, common financial services laws and regulations across member countries. Where this paper addresses Côte d’Ivoire, the main regulations discussed are WAEMU-wide and are overseen by the regional central bank, BCEAO. Other WAEMU members are Benin, Burkina Faso, Guinea-Bissau, Mali, Niger, Senegal, and Togo. 15 See the caveat with respect to Bangladesh. 16 Limited-purpose banks are also the current approach in Mexico, where there are “niche banks” limited to payment services. 17 Payments banks are also subject to ownership rules, including a minimum share (40 percent) for the promoter in the initial years, followed by diversification requirements and restrictions on equity and voting rights concentration. 18 BRAC Bank owns 51 percent of bKash, with the remaining shares owned by Money in Motion, IFC, and the Bill & Melinda Gates Foundation. Bangladesh (as well as Pakistan) in practice does not permit a nonbank-based model, despite having regulatory provisions allowing nonbanks to issue e-money. Bangladesh’s Payments and Settlement Systems Regulations (2014) define e-money issuance as a payment service (only PSPs qualify)—but no license has been issued to nonbank EMIs to date. Also, Pakistan’s Payment Systems and Electronic Fund Transfer Act (2007) provides sufficient room for the direct licensing of nonbank providers as EMIs, but the State Bank of Pakistan never issued implementing regulations to this effect. 11 issuing “mobile wallets,” (i.e., e-money accounts), Licensing requirements, permitted 1.2  under some basic rules established in regulatory activities, and reporting guidance.19 Once a policy of nonbank e-money issuance is In the countries studied, but also in many other in place, further steps are required to define EMDE, full-fledged traditional banks have not licensing criteria and to delimit the range of been efficient DFS providers because of their high permitted activities for EMIs. Limiting the range costs and their heavy prudential and operational of permitted activities is important for lowering regulations. In Bangladesh, for example, while the risk profile of EMIs, which in turn allows more than 20 banks have been licensed to provide them to take advantage of relaxed entry and MFS, none of them comes close to bKash, the only ongoing requirements (i.e., less stringent than for nonbank provider. Bank regulations include a wide commercial banks). The most important limitation range of prudential norms that are not required for EMIs is the prohibition on intermediating funds for EMIs that do not intermediate public funds. collected from their clients. These rules are too burdensome for banks focused on e-money issuance to flourish—except in those Where e-money is conceived as being not a deposit- cases where limited purpose banks are exempt like but rather a payment-like or payment-plus from many of the requirements. While commercial product, there is a straightforward policy basis for bank regulations are too heavy, generic PSP licensing nonbanks as EMIs and regulating them regulations are typically too light for purposes of accordingly. For institutions already engaged e-money issuance, given the different risk profiles in other types of business, licensing (or lighter- of fund transfers versus stored-value accounts. touch authorization) often requires the applicant to establish either a unit (Kenya) or a subsidiary E-money is a distinct product with similarities dedicated to e-money issuance (in Côte d’Ivoire and to both deposits and payments, and should be Ghana for all types of nonbanks, and in Myanmar for regulated accordingly. This is why e-money is MNOs). The separation of e-money operations (and increasingly treated as a kind of payments-plus finances) from those of a parent nonbank company is activity. 20 Thus, Kenya and Tanzania require considered essential for effective supervision (BCBS providers to have a PSP authorization but also 2016, p. 11). The other option is to set up a new, (with the exception of banks) to submit to more free-standing EMI. The legal term for licensed EMIs rigorous further scrutiny to gain an e-money differs across countries.23 license. 21 Ghana and WAEMU allow banks to become authorized EMIs through a relatively Allowing nonbanks to issue e-money entails simple process, while nonbanks must obtain an bringing them under the direct authority of the EMI license. 22 A variety of regulated institutions in financial services regulator—in the 10 countries, these two jurisdictions may seek authorization to the central bank. In some countries, where an MNO issue e-money, including PSPs and microfinance seeks to become an EMI, it must provide supporting institutions (MFIs), and nonbanks such as MNOs evidence from the telecom regulator—for example, may apply for an EMI license. a certified copy of its telecommunication license 19 This arrangement came into being not by design but because of Bank of Uganda’s lack of legal authority to authorize or regulate nonbank PSPs (in the absence of a dedicated payments law). 20 For this reason, in certain jurisdictions e-money is subject to both payments regulation and a specialized e-money regulation. In the European Union, e-money is subject to the general rules of the Payments Directive, which are applicable to all types of payments, and to the rules of the E-Money Directive, which focus on the deposit-like functions of e-money. 21 See relevant sections of National Payment System Act and Regulations (Kenya); and Tanzanian National Payment System Act, 2015 and Electronic-Money Regulations 2015, Third Schedule (Tanzania). 22 Myanmar falls into the same category, although the regulations lack clarity on how exactly they apply to banks when they want to launch MFS. 23 E.g., dedicated EMI (DEMI) in Ghana, etablissement de monnaie electronique in Côte d’Ivoire (for issuers that are not banks, PSPs, or MFIs), and MFSP in Myanmar. 12 Table 2. Capital requirements and authorization fees (US$) Licensed EMI EMI authorization / Minimum initial Country (nonbank) Minimum initial capital: EMI application fees capital: Bank Côte d’Ivoire EMI 490,000 Information not available. 16.36 million Ghana DEMI 1.2 million 2,200 14.25 million India Payments bank 15.4 million Information not available. 77.2 million Kenya EMI 193,000 Authorization fee: 9,700 9.7 million Application fee: 50 Myanmar MFSP 2.2 million Information not available. 14.8 million Rwanda EMI 121,000 Financial institutions: 1,200 3.6 million Nonfinancial institutions: 6,000 Tanzania EMI 224,000 900 6.7 million Uganda MMSP n.a. [must partner with a bank] Information not available. 6.9 million (Kenya) or a no-objection letter (Myanmar). rule. In such cases (Kenya), general rules on money Minimum initial capital for EMIs is lower than for remittance services might apply. banks, ranging from just under US$200,000 for an EMI in Kenya to US$2.2 million for a mobile Most importantly, financial intermediation by financial services provider (MFSP) in Myanmar. In EMIs is not allowed.25 These EMIs cannot provide comparison, payments banks in India need more services such as credit, investments, insurance, or than US$15 million in capital (see Table 2). 24 Other savings on their own account, but in some cases, requirements deal with matters such as the business may provide access to them in partnership with plan, risk management, settlement of customer a licensed financial institution. Further, e-money claims, and IT systems. EMIs are generally required accounts are generally subject to quantitative to be limited liability corporations, and some ceilings (e.g., maximum e-money outstanding per countries impose ownership requirements (see issuer or maximum balance per customer). Table 1). In Ghana, for example, a dedicated EMI must have at least 25 percent indigenous ownership. In addition to the licensing requirements, EMIs are subject to ongoing reporting requirements that are relatively light (see Box 3). The range of EMIs’ activities is often restricted to core functions such as issuing e-money accounts, cash-in/cash-out, and domestic payments and Box 3. Reporting and access to data transfers. Payments could include utility bills, EMIs must submit regular reports to the central merchant payments, salary disbursements, elderly bank. The rules generally demand monthly allowances, and tax payments (as in Bangladesh). reporting on, for example, the number of accounts, volume and value transacted, agents, incidents Other related services are treated differently across of fraud, complaints, scope of services, and loss countries. For example, OTC transfers are expressly of data. There is also annual reporting in the permitted in Ghana and prohibited in Uganda, form of audited financial statements and reports on risk management and IT practices (in some while other countries (Tanzania) do not address the cases, including an external system audit, as in issue directly. Inbound international remittances Bangladesh). The regulator is generally allowed to are also subject to varied, sometimes unclear, access all databases and registries of transactions treatment. For example, in Ghana and Myanmar, from EMIs and agents. Records of electronic transactions are to be kept for a period of years such remittances are expressly permitted, while (e.g., five years in Myanmar, seven in Kenya). in other countries (Uganda) there is no explicit 24 Kenya also offers a small e-money issuer license with lower minimum capital, but restricts issuance to closed and semi-closed loop instruments. Several other countries including India and Pakistan also provide a sliding scale of requirements for issuers of closed-, semi-closed, and open-loop instruments, but only the latter are considered here as having the functionality of e-money. 25 Strictly speaking, it is the intermediation of deposits in the form of loans that is prohibited. Some jurisdictions, including WAEMU and Rwanda, permit placement of funds in approved investment and debt instruments. 13 1.3 Treatment of e-float the e-money customer (as in Kenya, Myanmar, Tanzania) (Greenacre and Buckley 2014). 30 A The last key component of the framework for similar arrangement is an escrow account. This is nonbank e-money issuance is the protection of an account managed by a third party, where funds funds collected from customers and converted into are released upon the occurrence of conditions e-money (i.e., the e-float).26 Upon receipt of funds stated in the escrow agreement (e.g., authorized from the customer, the rules generally require the payment, settlement). 31 An escrow account is prompt deposit of those funds in bank accounts or required for EMIs in Uganda. placement in other safe, liquid assets. The rules may specify a time limit for the funds to be deposited or The second question is what prudential safeguards reconciled with the e-float, or simply state that the apply to the e-float. In most of the 10 countries, funds in the e-float account may never be less than regulations mandate that all customer funds the aggregate e-money issued. 27 (100 percent of all e-money outstanding) be deposited with commercial banks. 32 Partial The first concern arising here is whether and how exceptions to this rule are WAEMU and Rwanda, customer funds are protected from any claims and where a portion of the funds—up to 25 percent and risks to which the EMI is subject. A third-party claim 20 percent, respectively—may be placed in other on the EMI (e.g., due to default or bankruptcy) could types of safe investments. Further, concern about attach to funds in the e-float account. The e-money concentration risks on the part of the investor (the rules do not always address this issue directly,28 EMI) or the investee (the bank holding the e-float) but some countries require the isolation and ring- has resulted in diversification rules. Some countries fencing of e-float funds from claims on the EMI. In place ceilings on the proportion of an issuer’s Ghana, the regulations require e-float deposits to be e-float funds deposited in any single bank (e.g., in separately identified, and prohibit any commingling Tanzania the maximum is 25 percent), while others with funds that have a different source or purpose. 29 set a limit on the value of e-float deposits as a In contrast, the rules in Uganda stipulate that e-float percentage of the recipient bank’s net worth (e.g., funds are the property of the customer and not of 15 percent in Ghana, and 25 percent in Rwanda). the EMI. It is important that these countries have set (See Table 3.) up such protections, but whether they are effective against other legal claims will need to be confirmed There are a variety of approaches to interest in practice. accrued on e-float accounts. Some jurisdictions such as WAEMU and the EU do not permit any Some countries protect the e-float (once deposited interest to be paid to e-money customers for the in a bank) by specifying that it should be placed funds deposited.33 Alternatively, several countries in a special type of account. One approach is (such as Ghana, Kenya, Tanzania, and Myanmar) to require such deposits to be placed in a trust prescribe the allocation of any such interest accrued account administered by a trustee on behalf of (Tsang et al. 2017). Tanzania, for example, requires 26 This discussion draws on Tarazi and Breloff (2010). 27 This is the case, e.g., in Myanmar, Tanzania, Rwanda, and Ghana (See Table 3). 28 E.g., in Côte d’Ivoire, the rules restrict the use of the funds to e-money reimbursement. This provides a measure of protection, but it is not clear whether this would be effective, e.g., in the case of the EMI’s bankruptcy. 29 The European Union has a similar provision. See Oliveros and Pacheco (2016). This in effect means that the e-float funds should not appear on the issuer’s balance sheet and not be available to meet any other obligations of the issuer. 30 Trusts are better known in common law than in civil law countries; however, the law in this area has been evolving. 31 Although the relevant law differs in detail across countries, escrow is designed to place assets beyond the legal control of the issuer, which protects them from many third-party claims. In comparison, a trust is a more formalized structure and is usually deemed to be a stronger protection to the assets in it. 32 The central bank may specify or approve certain banks for this purpose (e.g., in Kenya, those meeting strength criteria). 33 For Côte d’Ivoire, see Instruction N°008-05-2015 Régissant les Conditions et Modalités d’Exercice des Activités des Émetteurs de Monnaie Électronique dans les Etats Membres de l’Union Monétaire Ouest Africaine (UMOA) (2015), arts. 32-35. For the EU, see Directive 2009/ 110/EC, art. 12. 14 Table 3. Regulations on e-float Diversification Country Fund safeguarding rules requirement Interest payment Reconciliation Côte d’Ivoire Placed in a bank. At least Not specified. No interest paid to Daily 75% in sight/demand e-money customers. deposits, the balance in time deposits, T-bills, or corporate securities. Ghana Hold as liquid assets in Not to exceed 15% of 80% of income from Daily banks. net worth of bank. pooled account to be paid to EMI clients. Kenya Trust Fund Once float exceeds Income from trust Daily US$950,000, max 25% account to be used of float may be kept according to trust in a single bank and legislation or donated 2 of the banks must be to public charity, but not strong-rated. paid out to customers. Myanmar Trust Account Central bank may set Interest from trust Daily a limit on number of should go to clients. accounts in pooled account. Rwanda Trust Account or special Not specified. Pass through at least Daily account. Up to 20% in short- 80% of interest earned term government securities; on float account. up to 10% in term deposits (max 3 months). Tanzania Trust Account If float exceeds Interest from trust — US$45,000, max 25% of shall be used for direct float may be kept in a benefit of e-money single bank. Each single customers. bank cannot hold trust float funds exceeding 50% of its core capital. Uganda Escrow Account Bank of Uganda may Not specified. Daily require. interest accrued in the trust account to be used would, in principle, fall within the deposit guarantee for the direct benefit of customers and held in a system—that is, if accounts from legal persons separate account until it is paid out. Bangladesh are covered. But the simple application of this and Myanmar have a similar rule. Ghana requires guarantee would pose problems, since e-float 80 percent of the interest accrued on e-float accounts exceed the per-account ceiling. In India, accounts to be paid to e-money customers. 34 payments banks issue e-money against deposits, In Kenya, by contrast, income generated from which are covered by the deposit insurance and e-money trust funds must be donated to a public credit guarantee corporation. Ghana’s e-money charitable organization in accordance with trust regulations require e-money accounts to be granted legislation and in consultation with the central bank. the same protection as deposit accounts. In Kenya, a pass-through deposit insurance policy covering How are e-money accounts and e-float accounts individual customer account balances held in the treated under existing deposit insurance systems? trust accounts has been adopted but not yet put Often, this issue is not explicitly addressed in the into operation (Izaguirre et al. 2016; Oliveros and law or regulation. In that case, e-float accounts Pacheco 2016).35 34 Some customers in Ghana have reportedly asked that no interest be paid to them for e-float, which raises the question of what alternative arrangements (e.g., Shari’a-compliant vehicles) might be made to enable such customers to share equitably in the earnings. 35 Very few countries, including the United States, have pass-through deposit insurance provisions in place. 15 1.4 Summary of experience “brick-and-mortar” branches, cannot solve the distribution problem in a cost-effective manner. The following general patterns emerge from the Ideally the full range of providers—banks and 10 countries’ experience in this area: nonbanks such as EMIs—should be permitted to distribute their products and services cheaply through • In all 10 countries, nonbanks are playing a leading a wide range of agent types. But this heightens role in offering basic transaction accounts to the agent risks that may affect customers or providers. A mass market.36 This was accomplished by the balance must be struck between inclusion and safety. countries generally abstaining from imposing the full range of requirements applicable to In this part, we discuss the following critical commercial banks in exchange for limiting their dimensions of the second enabler: range of activities and prohibiting intermediation of funds. Seven of the 10 countries have opened • Establishing a basic framework for the use of space for nonbank e-money issuance by creating a agents in DFS, in which the responsibilities of separate regulatory niche for EMIs. agents and principals are clearly delineated. • The three largest countries among the 10 • Fixing criteria for the form and content of the countries—all from South Asia—did not create agency agreement, including the type and scope a separate licensing window for EMIs, choosing of the agency. to restrict e-money issuance to banks (and bank • Setting standards of eligibility and procedures for subsidiaries in the case of Bangladesh). In India, authorization of agents. limited-purpose banks with lighter requirements • Providing for ongoing obligations of both parties, than full-fledged banks were introduced by including security and reporting standards. regulation, allowing nonbanks to establish separate entities to obtain a license and issue e-money. The Our analysis of these areas identifies a few distinct approach is different in Pakistan, where nonbanks approaches that the different countries follow in need to acquire stakes in existing or newly founded regulating agents used by DFS providers. These banks (though the latter can be microfinance banks). reflect policy decisions such as categorizing agents In Bangladesh, the dominant EMI is a nonbank by the types of providers they represent or by the that is not directly licensed by the regulator and kinds of activities in which the agents are engaged. operates under the auspices of its parent bank. • In the case of EMIs, there is convergence on 2.1 Basic framework for DFS agency prudential safeguarding of e-float funds in bank accounts, and isolation of the funds from third- Agency arrangements are familiar across many party claims through trusts or similar structures. sectors of the economy and can be adapted to • Other questions remain open to divergent the needs of financial services, including DFS. approaches, including whether and how e-float Agency contracts are usually governed by a well- funds are to be protected by deposit insurance developed set of legal standards. Depending systems or whether customers should benefit from on the context, these may include common law interest earned on the e-float account. principles, provisions of the civil or commercial code, legislation on certain types of agents (e.g., 2 Enabler 2. Use of Agents broker, distributor, trustee), or general outsourcing rules for financial institutions. Inclusive DFS depends on providers’ ability to outsource customer-facing functions to agents— In the DFS context, heightened risks arise not thereby extending their reach and capturing only from the differing interests of principals efficiencies. Traditional service channels, especially and agents, but also due to intervening factors 36 Most, but not all, of these are e-money accounts. 16 linked to technology platforms, remote access, 2015). They argue that most agents are simple and the complexity inherent to financial services. “cash merchants” transacting against their own Regulators have identified operational, consumer, money. In the real-time, prefunded environment of and money laundering/terrorist financing risks as DFS as it is seen in most of the 10 countries, cash-in the major agent-related risks (Dias et al. 2015). In and cash-out transactions, unlike bank deposits, do response, the countries studied have developed not increase bank liabilities but only transfer values specific regulations to govern agency relations and between account-holders.39 This limits agent risk their inherent risks. essentially to consumer protection and AML/CFT issues. When outsourcing goes beyond this level, Where agents are permitted, allocation of legal for example, when agents are involved in account responsibility is essential. Every agent acts on behalf opening or credit assessments, the risks increase. 40 of a responsible principal . Agency regulations generally stipulate the principal’s liability for its Several countries distinguish between nonbank and agent’s actions within the scope of delegated banking agents across the board, imposing stricter responsibility (whether expressly or clearly implied). requirements on the latter. Few countries have Regulations in the countries studied make this implemented a truly risk-based approach and have principal liability explicit, sometimes requiring it instead imposed differential treatment on agents to be stated in the agency agreement. In several that basically offer the same standard services. An countries, the laws expand the liability of banks activity-based approach applying uniform rules to to include any improper actions of the agent (this all types of providers and all types of accounts for a applies only where a bank is the principal). 37 given type of activity (e.g., cash-in/cash-out versus loan disbursement) seems optimal for creating a However, the regulations do not solely rely on this level playing field. This is particularly the case with liability provision. They also specify due diligence and increased agent sharing and models where bank risk management steps to be taken by principals with accounts are served through EMI agents, as is the respect to their agents. Regulations generally require case in many digital credit models.41 (See Box 4.) the principal to carry out ex ante and ongoing (or periodic) assessment of an agent’s risks and to have 2.2 Terms of the agency agreement appropriate internal controls and risk management systems. In half of the 10 countries,38 the rules require Beyond establishing the basic framework for DFS principals to provide agents with training on their agency, policy makers are concerned about the role in financial services delivery. Some countries form and content of the agency agreement (i.e., such as Bangladesh, India, and Rwanda have detailed what an agent may be hired to do and how the risk management frameworks (e.g., IT requirements) agent is bound to the principal). We first take up for the use of agents by licensed institutions as well the how question. as rules for agents’ liquidity. In all 10 countries, a written contract is required for A few experts have questioned the need for retaining an agent, and model agreements may be financial institutions to assume liability for and inspected by the regulator. In some countries, the oversight of the activities of all agents (e.g., Mas regulations prescribe contractual language, such as 37 Bangladesh, Kenya, Myanmar, and Tanzania apply this rule (in Tanzania it includes acts of omission), reasoning that the principal bank is the party best able to monitor agents’ behavior and to deter misconduct. 38 Bangladesh, Kenya, Pakistan, Rwanda, and Tanzania. 39 An exception is India, where the central bank has instructed the principal bank to consider the cash handled by the agent as its own cash and lower the agent’s prefunding levels as it gains experience over time with the agent. RBI Circular on Issues in Cash Management— RPCD.FID.BC.No. 96/12.01.011/ 2013-14. 40 Kenya distinguishes between cash merchants and full agents in its National Payment System Regulations (Arts. 14–18), but imposes identical standards on them. 41 This is the case in, e.g., Kenya and Tanzania, where banks have partnered with EMIs to offer bank accounts to e-money customers. Customers can access their bank accounts only by moving money in and out of the mobile wallet offered by the EMI partner. Examples for this are M-Shwari in Kenya and M-Pawa in Tanzania. 17 Box 4. Contrasting approaches to agent regulation The countries studied illustrate divergent approaches The account-based approach comes into the picture to agent regulation, of which we have identified when, for example, banks offer not only deposit three. The institution-based approach defines agent and credit accounts, but also e-money accounts, rules within the regulatory framework for different through agents. In Bangladesh, only banks (and types of financial institutions that are permitted bank subsidiaries as in the case of bKash) can use to use agents. The focus here is on who may use agents. Bangladesh has banking regulations dealing agents, and what conditions apply to each category with banking agents as well as distinct, overlapping of provider—with the requirements depending on MFS rules applicable to banks (and bank subsidiaries) the type of principal doing the outsourcing. An authorized to offer MFS. In Tanzania, banks can be alternative approach is the account-based approach, EMIs, in which case their e-money agents follow the where the rules depend on whether agents serve bank rules for EMI agents rather than for agency banking. In accounts (savings or credit) or e-money accounts. An these two examples, different departments supervise activity-based approach defines different rules for agent activities, depending on the type of account agents depending on the types of services being offered by the principal regardless of the type of outsourced regardless of the type of principal or the activity undertaken by the agent (which could be type of account served. the same standard cash-in and cash-out operations). Most agent regulation is institution-based (see Payment, MFS and e-money accounts come within Table 4). This approach is straightforward in a the authority of the payments department, while bank country like Pakistan, where only banks—including accounts are under banking supervision. microfinance banks and Islamic banks—can offer DFS. There are two examples of activity-based approaches Similarly, in India, the regulations for different types of in the countries studied. Ghana and Rwanda banks, including the recently launched payments banks apply a common set of agent outsourcing rules to as well as banks issuing PPIs, all refer to the same set different types of institutions. In Ghana, banking of rules for agents (business correspondents).a The and e-money agent activities come under a single, different categories of banks are subject to the same common framework (though handled by different agent rules. However, the institution-based approach departments of the Bank of Ghana), just as Rwanda leads to fragmentation in a country like Kenya, where applies the same set of agency rules to banks, MFIs, banking agents, deposit-taking MFI agents, and PSPs, remittance services providers, and EMIs. PSP agents have their separate regulations.b While Differentiated treatment can then be applied to this approach might reflect a risk-based regulatory the various activities carried out by the agents. This design, more often the differences stem from the fact treatment is defined in part by the rules generally that different types of agents are regulated under applicable in areas of activity such as e-money different laws (e.g., banking law vs. payments law issuance, remittances, and deposits. Also, Ghana and vs. microfinance law). Account-based and especially Rwanda permit a wider range of activities to agents activity-based approaches are usually closer to a true that are companies (in Ghana, companies meeting a risk-based model. size threshold) than to individual agents.c a PPI issuers that are not banks are permitted to use other agents, but not for open-loop payment instruments. b The same holds true for banking agents, PSP agents, and EMI agents in Tanzania. But Tanzania’s Electronic Money Regulations (2015) take an account-based approach that does not differentiate among the types of institutions approved to issue e-money—thus making it a hybrid. c Also, in Bolivia, Brazil, Colombia, Paraguay, and Peru, a single regulation applies to all regulated providers allowed to hire agents. This includes EMIs that were introduced by laws issued after the agent regulation was already in place (Dias et al. 2015). a statement of the principal’s liability (e.g., for rapid agreements. The majority of the 10 countries transfer agents in Côte d’Ivoire, banking agents in prohibit agency agreements that bind an agent to Tanzania, PSP agents in Rwanda). Other mandatory a sole principal. Pakistan, Rwanda, and Bangladesh clauses may address the principal’s authority to take a slightly different approach, stipulating that monitor and inspect the agent (banking agents an agent may serve several institutions, thus leaving in India) or the agent’s duty to retain pertinent open the possibility (at least in principle) that records and make them available for inspection by an agent and provider could choose to enter an the regulator (India, Rwanda). exclusive agreement. Such regulations are aimed at protecting competition by limiting vertical tie- Another common feature in this area is the ups and at promoting access to the services of prohibition of exclusivity clauses in agency more than one issuer at the agent point of service. 18 Most of the sample countries also require providers include dealing in foreign currency, opening accounts, to facilitate interoperability, including at the level cashing checks, providing cash advances, and others. of their agents, which has a similar effect on competition and access. In a few cases (India), by Types of agents contrast, exclusivity is allowed or even mandated The question of the possible scope of a DFS at the subagent or retail outlet level.42 In Pakistan, agency is often answered by setting up rules that the central bank retains the authority to impose differentiate among categories of agents. In the limits on agent sharing with the aim of encouraging DFS context there are a variety of types of agents providers to open new agent locations. 43 serving a wide range of principals. The varieties of agents can be categorized in different ways, Agency scope including by the type of principal institution they There remains the question of what agents may represent (see Box 4). be authorized to do on the principal’s behalf. DFS regulatory frameworks identify activities for which Agents may, alternatively, be distinguished based the use of agents is permitted and prohibited. The on the type of contractual relationship they have range of permitted activities may vary with the type with the principal. They can be directly contracted of principal represented (bank or nonbank agent by the principal or subcontracted by another agent such as a PSP or EMI agent). In Ghana, for example, who in turn holds a contract with the principal. banks are permitted to deploy agents for a wider In the latter case, they are typically referred to range of services—marketing and sale of credit, as subagents and their principals are called savings, insurance, and investment products—than master agents . In some cases, several levels of are EMIs. outsourcing (creating long principal-agent chains) are permitted, which makes it more difficult for The basic functions that can be outsourced to the principal to ensure regulatory compliance and agents include cash-in and cash-out, payments manage risks. services, and information collection and document completion for account opening. On this last point, Further, agents can be described as wholesale or the actual opening of accounts is generally handled super-agents if they provide cash management by the principal. In Ghana and Pakistan, however, services to other agents who may themselves lower-level accounts can be opened at an agent have a direct agency contract with the principal or (in Pakistan) even remotely by phone (with a (and thus are not subagents). Similarly, agent biometrically verified SIM). The countries studied network managers can be hired by the principal to include some where OTC is prohibited (Bangladesh, provide support services to agents. Agent network Uganda), where it is explicitly permitted (Ghana, managers (e.g., under Ghana’s regulations) are Pakistan), and where the regulations are silent. 44 In concerned with recruitment, training, compliance addition, banking agents can handle regular banking monitoring, liquidity management, and general functions, such as disbursing (usually small) loans, support. They are typically not agents themselves accepting deposits, and collecting loan payments, (although they could be). The agents they manage on behalf of the principal bank. In a few cases (Ghana are directly contracted by the principal. In some and Bangladesh), they may receive and/or send cases (e.g., Selcom in Tanzania), these agent international remittances. The prohibitions, especially network managers are aggregators, offering for agents of nonbank issuers, are many and usually facilities such as payment integration services. 42 Mobile money agents have in some instances been allowed to be exclusive. This was formerly the case in Kenya and Uganda. Where exclusivity is not prohibited—as has been the case in several countries such as Tanzania for e-money agents and in Brazil (Dias et al. 2015, p. 25)—one could argue that such an approach is justified on several grounds. Exclusivity, among other things, could help maintain clearer accountability and liability by the principal as compared to nonexclusivity. It also incentivizes providers to expand outreach by recruiting new agents and to be the first to build an agent network. 43 Framework for Branchless Banking Agent Acquisition and Management, sec. 9.9 (b). 44 WAEMU provides for separate authorization of agents for rapid funds transfer, i.e., OTC services. 19 Table 4. Agent regulation overview Regulatory Role in account approach Types of agents opening (examples) Types of specialized agents Bangladesh Account-based Banking, MFS Receive account Not specified. opening documents. Côte d’Ivoire Institution-based Banking, e-money, Sign agreements with Primary (master) agent: rapid transfers clients. contract subagents. Ghana Activity-based Banking, e-money E-money: Open Agent network manager minimum or medium for banking and e-money KYC accounts on behalf agents: recruitment, training, of issuer. compliance monitoring, liquidity management. India Institution-based Business Identify customers. Not specified. correspondent Process & submit (bank, incl. applications. payments bank) Kenya Institution-based Banking, MFI, PSP MFI: Collect documents Wholesale agent/wholesale for account opening. cash merchant: Distribute money to retail agents. Myanmar Institution-based Mobile banking, Mobile banking: Cash Not specified. MFSP deposits. Pakistan Institution-based Branchless banking Open and maintain Super-agent (established branchless banking retail outlet or distribution accounts. setup); Agent Network Manager/Aggregator: Training and monitoring agents, reporting to financial institutions, liquidity management. Rwanda Activity-based Banking, e-money, Customer identification Agent network managers/ PSP (2-factor). super-agents: Management Collect account and coordination of basic opening info from agents’ activities. clients (only if agent registered as company). Tanzania Account-based for Banking, e-money, Banking: Collect Wholesale agent (company): e-money accounts, PSP documents for loan e-money distribution, retail otherwise applications. management. institution-based Uganda Institution-based Banking, mobile Banking: Collect Not specified. money documents and info for account opening. These diverse types of agents respond to In practice, the terms used for the different providers’ need for a wide range of service points types of specialized agents—master agents, along with mechanisms to support and monitor super agents, agent network managers—are not them. Thus, the use of master agents or agent consistent across countries. 45 (See Table 4 for network managers becomes critical. Using agents examples.) properly means identifying, training, monitoring, and managing agents while ensuring their liquidity, Agent eligibility and authorization 2.3  risk management, and compliance with regulatory and customer service standards. Providers may The next concern that regulation must address is to outsource some or all these functions to master determine who is eligible to become an agent (or agents or agent network managers. a certain type of agent) and what kind of approval 45 Rwanda, e.g., provides for super-agents and basic agents; Ghana authorizes agents and master agents; and Kenya provides for wholesale and retail agents. 20 (if any) is required by the regulator. The rules Policy makers and regulators face a choice seem to vary greatly in the effectiveness of their between ex ante enforcement of eligibility rules implementation and the burdens they impose. (prior approval) or ex post (inspection). In some cases, as a first step, general approval for the Most of the 10 countries require agents to be use of agents or for a network of agents may be registered businesses, whether companies or required. This may need to be followed by the individuals. 46 In several countries, the eligibility provider obtaining authorization for individual standards state that an agent must be an enterprise agents or groups of agents—as is the case for with its own independent (and viable) line of banking agents in Kenya and Uganda (bulk business. This is clearest in Kenya, where one is authorization). 49 Different standards may apply prohibited from continuing to provide services as to agents of different scale (e.g., master agents an agent if the separate line of business is not and subagents that operate on their behalf) or commercially viable. 47 function (bank versus nonbank agents). Banking agents are most rigorously controlled in WAEMU, These kinds of requirements appear designed to where individual agent approval is required along mitigate risk—but their cost-effectiveness is not with financial guarantees and other conditions not always clear. First, such rules may not be well- applied to EMI agents. In Kenya, when PSPs recruit targeted. It is worth asking whether someone agents, PSPs simply need to notify the central who has specialized in agency services should bank 14 days before the commencement of the be ineligible purely due to failure to meet a agent’s operation and report basic information registration or “line of business” standard. Second, periodically.50 Master agents and agent network the burden of these requirements may undercut managers may be subject to stricter standards, as the objective. Providers sometimes have difficulty in Ghana, where providers must apply much more recruiting new agents because of such standards. comprehensive due diligence.51 Third, the extent of compliance with these rules is open to question, especially in countries with Regulations may apply eligibility requirements not rapid e-money uptake and thus urgent demand only to agents but also to providers themselves for agents.48 when they seek to outsource. Pakistan, for example, requires financial institutions to meet minimum A few countries (India, Bangladesh, Ghana) allow prudential thresholds to contract branchless individuals to serve as agents if they are educated, banking agents.52 or if they have experience or businesses considered relevant (e.g., insurance agents, retired bankers, Ongoing duties of agents 2.4  heads of self-help groups, mobile agents). and principals Qualifications of a potential agent may include having a good credit history, character references, A DFS provider’s use of agents imposes IT capacities, and a minimum level of experience ongoing regulatory obligations on both parties. in operating a business—as well as an account in a Among these are the kinds of risk management licensed financial institution. requirements discussed previously as well as duties 46 Most admit businesses, generally, in addition to specific groups such as MFIs, the Post, or cooperatives. Others (including India, Bangladesh, and Ghana), have a longer list of eligible entities, e.g., retailers, petrol stations, local government offices, nongovernment organizations, and courier services. 47 Guideline on Agent Banking (CBK/PG/15 [Kenya], art. 4.4). 48 The Helix Institute’s Agent Network Accelerator Survey, Kenya Country Report 2014 notes that 36 percent of Kenyan agents at that time were dedicated, i.e., did not offer a separate line of business. 49 Guideline on Agent Banking (CBK/PG/15 [Kenya], part II). 50 National Payment System Regulations (Kenya) 2014; CGAP (2015, 15). 51 Bank of Ghana Agent Guidelines (2015), arts. 10, 11, 15. 52 The threshold is moderate, including compliance with minimum capital standards and “fair” CAMEL rating (State Bank of Pakistan, Branchless Banking Regulations, art. 9.2 [2016]). 21 of disclosure, which is addressed in Section 4.2, as and Tanzania), geographic information system it relates to consumer protection. Other obligations coordinates. 53 Regulators may also demand include record-keeping, reporting, and ensuring aggregate data on clients, transaction value/ the certainty and security of transactions. volume, fraud incidents, consumer complaints, and remedial measures. Pakistan has introduced Security and technology a web-based agent registry system through which Regulators are concerned with ensuring the security it collects and maintains disaggregated data on and accuracy of agent-assisted transactions and individual agents (Dias et al. 2015). 54 Rwanda the reliability of the technological platform. is in the process of rolling out a data collection Requirements in this area overlap with consumer system that will pull data directly from the EMI’s protection (see Section 4.2). In the countries operational system (Dias and Staschen 2017).55 studied, it is mandatory to provide confirmation of transactions to the client (in some cases, including Regulations also impose record-keeping fees). The implication, made explicit in the case of requirements and establish the authority’s right Tanzania (for banking agents), is that a provider or to conduct inspections at both the principal and agent must not complete a transaction if a receipt the agent. The provider/principal ensures that the or acknowledgment cannot be generated. agent keeps necessary records and keeps data from the agents in the principal’s own system. Providers A related rule prohibits agent transactions going must keep records for several years (requirements forward where there is a communication failure. In vary from five to 12 years), and consistent with Kenya and Rwanda, for example, all transactions the regulator’s standards for organizing records.56 must be processed in real time. The regulations in Further, in most countries, the regulator has several countries (Côte d’Ivoire and Tanzania) hold the authority to inspect the premises, books of the principal issuer responsible for ensuring the account, and records—not only of the principal but reliability and security of their systems, as well as also of its agents and, in some cases (Myanmar and the confidentiality and traceability of transactions. Ghana), other partners and services providers used in the provision of DFS. The countries studied require providers to have approved plans in place for contingency and 2.5 Summary of experience disaster recovery, including for technology- related interruption of services. In some countries, The following general patterns emerge from the these plans are to be stipulated in the agency 10 countries’ experience in this area: agreement and assessed as part of the licensing and supervision processes. • There has been some convergence on the regulation of agents. The principal’s liability is a core tenet Reporting and records in all 10 countries. Most regulators have taken a Agents are not required to report directly to the flexible approach as to the kinds of organizations regulator. But principals do need to identify their and individuals that can be agents. Further, norms agents to the regulator either by periodic reporting of nonexclusivity and interoperability are prevalent, (e.g., monthly in Bangladesh) or by the maintenance though there are differences in application. of updated rosters (e.g., on the provider’s website) • Certain divergences remain on the general approach with names, addresses, and in some cases (Ghana toward agent regulation. While the institution-based 53 For a more detailed description of reporting requirements, see Dias and Staschen (2017). 54 Ghana is in the process of setting up a similar agent registry. 55 Rwanda’s new system should help address the common problem of over-counting agents and access points, which can give a misleading picture and hence the proximity that consumers enjoy. E.g., 98 percent of agents are counted twice in Colombia, as each bank reports shared agents as its own (Arabahety 2016). In addition, large numbers of inactive agents are often included in such counts. 56 E.g., in India, agents (business correspondents) that work for multiple institutions must maintain separate data for each of their principals, and avoid commingling data. 22 approach is still most prevalent (e.g., different Simplified customer due diligence 3.1  treatment of bank and nonbank agents), a few countries follow an account-based approach (rules AML/CFT rules are held to international standards are defined for certain types of accounts that can set by FATF. The FATF Recommendations (2012) be accessed through agents regardless of the and related guidance set forth CDD methods issuer) and two countries (Ghana and Rwanda) have and risk criteria that take financial inclusion into implemented an activity-based approach (same account, allowing for simplified procedures for rules for same activity). Whereas institution- and lower-risk scenarios (FATF 2017) (see Box 5).57 account-based approaches might not have posed a problem in the past, trends such as increased The FATF language simply may be incorporated sharing of agents and partnerships between banks into financial sector regulation, offering providers a and nonbanks make these approaches less tenable. basis for adapting their procedures. However, most • In general, the countries’ regulatory approaches of the 10 countries translate that guidance into are not fully risk-based or proportionate. This is more specific rules that define lower-risk scenarios partly because of the continuing use of institution- and the corresponding simplified methods. based approaches and partly because of Providers appear generally reluctant to implement differences across countries in support for multiple types of agents, such as simple cash merchants, who present lower risks if operating against a Box 5. Customer due diligence and the scope for simplification prefunded account and in a real-time environment. Standard CDD has four elements, according to the FATF Recommendations (no. 10), and each of the Enabler 3. Risk-Based 3  elements can be simplified where risks are assessed Customer Due Diligence as lower (2012, INR 10, para 21): • Identifying the customer and using independent DFS operate within regulatory contexts shaped by sources to verify the identity. Simplification can policies on AML/CFT. The challenge for financial be done by, for example, reducing the extent of ID information required or postponing the inclusion is to ensure proportionate treatment verification. using risk-based frameworks that protect system • Identifying the beneficial owner and taking integrity while imposing the least burden on DFS reasonable steps to verify that identity and understand the customer’s ownership and outreach. control structure (in the case of a legal person). These checks are required to ensure that the The essential components of the third enabler account holder and anyone represented by that include the following: holder are identified (including any “politically exposed persons”). A simplified process could, for example, use information provided by the • Adopting the principle of simplified CDD in lower- customer without verifying it. risk scenarios. • Obtaining information on the purpose and • Translating this principle into risk-based tiers for nature of the business relationship between the customer and the financial services provider. different kinds of accounts, transactions, clients, Simplified CDD can infer this from the type of and methods of account opening and transacting transaction or the relationships. (remote or in-person). • Conducting ongoing monitoring and due diligence as needed to ensure that all transactions • Addressing constraints on customer identity are consistent with the institution’s knowledge of documentation by recognizing a wider range the customer, its business and risk profile, and its of ID types and making use of new methods of source of funds. This means keeping the client identification for lower-risk transactions, which are profile sufficiently up to date to identify anomalous transactions. The degree of monitoring could be made possible by advances in ID systems (wider reduced based on a reasonable threshold. coverage, better accessibility). 57 FATF has published extensively on the risk-based approach and its application, e.g., to the banking sector (FATF 2014), to prepaid cards, to mobile payments and internet-based payment services (FATF 2013), and to money and value-transfer services (FATF 2016). 23 a risk-based approach without this kind of specific unserved customers, while legacy CDD rules for regulation (de Koker and Symington 2011). Thus, banks continue to coexist (see Table 5). while FATF’s concept of risk-based CDD does not require explicit definitions of risk scenarios and Account, transaction, and client restrictions procedural adjustments, such definitions appear to Several countries define at least one differentiated be more effective in ensuring the use of risk-based type of account with lower CDD requirements. 61 CDD in practice. These accounts are subject to lower balance and transaction limits than regular or enhanced CDD Regulatory provisions on risk-based CDD emphasize (i.e., higher risk) accounts. Other restrictions may the first element of customer identification and apply (Ghana), such as prohibiting a client from verification, which is often called Know Your having more than one such account or considering Customer (KYC). But there are also examples of the account dormant after 12 months of inactivity. simplification of the other elements. Pakistan, for In like manner, one-off transactions (e.g., OTC example, permits reduced frequency of customer transfers) may have lower ceilings to qualify for ID updates and less intensive on-going monitoring simplified CDD (Ghana and Pakistan). A further for accounts with a limited monthly turnover. 58 complication arises in some countries (Ghana, Bangladesh provides such an allowance for low- Myanmar, Tanzania) where tiered KYC is available risk customers,59 as does Myanmar (for banks).60 only to EMIs or to mobile money providers. In Pakistan, only branchless banking accounts are 3.2 Tiered approaches subject to the tiered structure. A common regulatory approach to risk-based In several cases, e-money accounts have three CDD is the definition of risk tiers to which due versions or tiers: diligence procedures of varying intensity are applied. This is in line with FATF guidelines that • A basic account with minimal opening requirements suggest countries should consider such a tiered and correspondingly low ceilings for transactions. approach to implement simplified CDD measures • A mid-range account allowing for bigger in lower-risk scenarios (FATF 2017, para. 74). transactions and more stringent requirements, but Such risk tiers are determined by the features less than a full KYC procedure. of the accounts or transactions permitted, the • A higher-limit, full-KYC account. This tier may types of clients, and the modalities of account include special accounts designed specifically for opening and transacting (e.g., in-person or not). businesses. The business accounts have much Most of the 10 countries define two or three tiers higher limits than individual accounts.62 (e.g., high, medium, and low risk). In some cases, however, the rules are different for DFS (e.g., Differentiated KYC requirements for businesses tiered structures applying only to transactions provide higher quantitative transaction ceilings in via agents and/or only to EMIs) as compared to exchange for more rigorous procedures for account general rules applying to bank accounts and/or opening. Such business accounts are mostly used by branch-based transactions. One reason for this agents and merchants, who regularly handle larger is that DFS rules were introduced more recently amounts of cash and higher transaction volumes and with a clear focus on reaching previously than the regular clientele. Account opening in such 58 State Bank of Pakistan, AML/CFT Guidelines on Risk Based Approach for Banks & DFIs (updated 31 March 2015), arts. 7–8. This applied to accounts with a monthly turnover up to PKR 25,000 (US$226) such as basic bank accounts and Level 0 branchless banking accounts until monthly limits were raised to PKR 40,000 (US$328) in 2016. 59 Bangladesh Bank (BFIU), Money Laundering and Terrorist Financing Risk Assessment Guidelines for Banking Sector, sec. 6.3, 6.11. 60 Central Bank of Myanmar Directive No. 21 /2015, arts.14, 16, 22. 61 E.g., Ghana, India, Tanzania, Myanmar, and Pakistan. 62 E.g., Myanmar sets a daily MFS transaction limit for businesses of 1 million kyats (US$723) compared to 50,000 kyats (US$36) for the lowest individual tier, a monthly transaction limit of 50 million kyats (US$36,000) compared to 1 million for the lowest tier, and a balance limit of 10 million (US$7,223) compared to 200,000 kyats (US$145) for the lowest tier (Central Bank of Myanmar, Regulation on Mobile Financial Services [FIL/R/01/03-2016], sec.17). This tiering scheme applies to EMIs, but not to banks that provide MFS. 24 Table 5. Selected KYC requirements for e-money accounts CDD/KYC coverage and tiers Quantitative limits for low KYC Illustrative KYC requirements Ghana Tiered KYC schemes apply only Limits for minimum KYC: Minimum KYC: Any type of •  to EMIs. E-money KYC tiers: •  Maximum balance: GHC 1000 photo identification minimum, medium, enhanced. (US$226) Medium KYC: Official ID •  •  Daily transactions: GHC 300 (US$68) documentation listed as •  Aggregate monthly transactions: acceptablea GHC 3000 (US$677) Enhanced KYC: Same •  requirements as that of opening bank account. Myanmar MFSP covered. Limits for level 1 accounts: •  Level 1: National ID document. Three levels of MFS accounts: •  Transactions: MMK 50,000 (US$37) • Level 2: National ID document Level 1 (lowest level) and Level 2 per day; MMK 1 million (US$736) and SIM registration. for individuals; Level 3 for legal per month. • Other KYC requirements: entities. Maximum balance: MMK 200,000 •  Permanent and mailing (US$147) address, date of birth, nationality. Pakistan Applicable to branchless banking Limits for Level 0: Level 0 requires: accounts (being full banking •  Transactions: PKR 25,000 (US$226) • Capturing the image of the accounts). per day, PKR 40,000 (US$362) per customer national ID document Three levels of accounts: Level 0 month, and PKR 200,000 (US$1,811) •  A digital photo of the customer (lowest), Level 1, and Level 2. per year. • Verification of customer data •  Maximum balance: PKR 200,000 against NADRA system. (US$1,811) Account opening can be through physical or digital means. Rwanda All EMIs covered. Limits for Tier 1 (Individuals): Customers can be electronically Tiers: Individuals, individual Single transaction: RWF 500,000 •  registered or follow e-KYC customers with higher levels, legal (US$592) procedures. entities, basic agents, etc. Tanzania Tiered KYC applies to mobile Limits for electronically registered Alternative IDs: Employment ID, money issuers. Tiers: Electronically mobile money accounts: social security ID, or a letter from registered (lowest level); Single transaction limit = TZS •  the ward/village executive. electronically and physically 1 million (US$446) registered; SME accounts. Maximum balance = TZS 2 million •  No tiering for card-based e-money. (US$892) (stated as “daily” balance, i.e., average not to exceed threshold) a. National ID, voter identification, driver’s license, passport, and other government documents, such as the National Health Insurance Scheme identification. cases may require the client to visit a bank branch, ceilings for agents and separate treatment for to provide additional documents such as a business merchant accounts. registration, and to comply with the full KYC procedure (as required for regular bank accounts).63 In India, CDD requirements for payments banks are For example, Tanzania provides four risk-based the same as for banks. Thus, uniform standards on KYC tiers for EMIs, including one for retail agents account opening apply across institutions, including and one for wholesale agents.64 Similarly, the KYC simplified CDD for opening small-value accounts. rules applied to e-money in Ghana provide higher Also, India classifies certain customers as low risk 63 In Myanmar, this highest MFS tier requires a registration certificate, which can be a problem for agents that are informal businesses. 64 Retail agents require only the basic documents (e.g., business registration and tax ID number) required to conduct commercial activities, while wholesale agents must be registered corporates and are permitted to distribute e-money and manage retail agents (Electronic Money Regulations, 2015 [Tanzania], Third Schedule). This tiering scheme applies only to mobile money. For card-based e-money, the general rules contained in the AML/CFT legislation (2013) and regulations (2015) apply. 25 (thus eligible for simplified CDD), including members accounts are registered physically or electronically of self-help groups and foreign students.65 Where by mobile phone. These accounts have tiered simplified CDD applies, customers may be issued transaction limits along with differentiated CDD/ closed and semi-closed loop PPIs. However, when KYC requirements, and they impose special risk issuing e-money (open-loop PPIs), 66 banks must management (governance and MIS) responsibilities apply standard CDD, and the simplified CDD rules on the provider.70 Also, Pakistan recently permitted provided in the banking regulations do not apply.67 lower-tier mobile wallets to be opened remotely from the customer’s mobile handset, taking Face-to-face versus remote transactions advantage of the fact that all SIM cards in Pakistan In most DFS models it is essential that customers are now biometrically verified against the central have the option to be identified either at an agent ID database.71 As a result, account openings have or remotely (electronically). Accordingly, another sharply increased (Rashid and Staschen 2017). basis on which to define tiered KYC treatment is whether the business is done in person between Loosening the ID constraint: 3.3  the provider and the client. Where accounts are Risk-based rules and opened or transactions are carried out through an evolving ID systems agent, CDD performed by such agents is treated as if conducted by the principal, and the ultimate A major contextual factor in CDD is the responsibility rests with the principal (FATF 2017, development of national ID documentation and para 118f). The provider must properly analyze verification systems. ID systems need to integrate the capacity of its agent and supervise the agent’s all relevant information so that each ID document application of the CDD rules and procedures—but is matched with a single client and with the relevant those rules and procedures do not change. The account. Until recently in most of the 10 countries, standards to be used in overseeing third-party CDD limited availability of official ID documents seriously are somewhat demanding, since money laundering constrained financial services outreach, and is a high-priority area of risk. Thus, for example, therefore—in line with FATF guidelines—policies banks in India and MMSPs in Uganda must ensure were adopted to adjust ID requirements on a risk that their agents are licensed or registered, and that basis. The reasoning was that widening the range they have AML/CFT policies and systems in place of acceptable ID documents should facilitate access that are effectively implemented and monitored and to financial services. are regularly updated. 68 In any case, the principal remains liable for the proper completion of KYC and The countries studied include several that recognize the agent performs only a clerical or conduit rule. alternative forms of ID in lower-risk settings, and several others that do not. India is an example of the FATF considers nonface-to-face scenarios— former. Where India’s regulations allow simplified accounts opened electronically without visiting an measures for verification of customer identity, agent—as potentially posing higher risks. 69 Some alternative documentation may be accepted in countries have special KYC rules for accounts lieu of a national ID card, including photo ID cards opened remotely. Tanzania, for example, provides issued by banks (public and private) and by central for differentiated accounts based on whether the regulatory authorities. Another alternative is a letter 65 RBI Master Direction—Know Your Customer (KYC) Direction, 2016, DBR.AML.BC.No.81/14.01.001/2015-16, sec. 3, 16, 22–24; RBI Master Circular—Policy Guidelines on Issuance and Operation of Pre-paid Payment Instruments in India, DPSS.CO.PD.PPI. No.01/02.14.006/2016-17, sec. 6–7. 66 Only open-loop instruments have the full functionality of e-money and, thus, they fall under our definition of DFS. 67 Policy Guidelines on Issuance and Operation of Pre-Paid Payment Instruments in India, 2016, DPSS.CO.PD.PPI.No.01/02.14.006/2016-17, sec. 7.3. 68 An agent completing documents and conducting CDD on behalf of a principal is not the same as opening an account for the client at the principal institution—an authority that often cannot be delegated. 69 FATF 2012, INR 10, para 15; and FATF 2013, ch. IV, para 40, 69. 70 Bank of Tanzania, Electronic Money Regulations, 2015, Third Schedule, Form F. 71 A Level 1 account, which may be opened remotely with a biometric SIM card, has transaction and balance ceilings that are two to four times higher than the Level 0 limits (SBP, Branchless Banking Regulations 2016, art. 4.1)—reflecting increased confidence in the biometric system. 26 issued by a gazetted officer, with a duly attested photograph of the customer. These officially valid Box 6. eKYC in India documents are sufficient for small-value accounts India has established a KYC compliance option for use in electronic account opening: e-KYC. This and some semi-closed loop PPIs. But open-loop service, provided by the Unique Identification instruments equivalent to e-money require full KYC Authority of India (UIDAI), uses biometric measures.72 In Ghana, in addition to risk-tiered ID authentication to confirm the customer’s identity. Under e-KYC, the customer’s identity is verified requirements for e-money accounts, OTC clients when the UIDAI confirms that the biometric data are subject to reduced quantitative ceilings if provided by the customer match the biometric they do not have existing e-money accounts or data recorded against that person’s name. cannot present “acceptable” ID documentation The customer may consent to the ID authority electronically transferring the data, including the (as required for medium KYC measures).73 individual’s name, age, gender, and photograph, to the financial institutions and their agents (business Other countries (Myanmar, Tanzania, Côte d’Ivoire) correspondents). The AML/CFT Rules stipulate that recognize only a few forms of official identification for KYC e-KYC is to be accepted as a valid KYC process, provided that the financial institutions and their purposes, such as the national ID document, passport, agents obtain express authorization from the and driver’s license. In Rwanda, EMIs must identify their customer for release of her or his ID information.a clients by means of a national ID document or passport, a. Two recent events—judicial recognition of a constitutional which is verified through the national ID database—the right to privacy and a major data breach—are expected to usher in limits to data collection and access through only stated exception is the identification of a minor the UIDAI (Aadhaar) system. RBI Master Direction, KYC by her/his duly identified parent.74 But limitations on (2016), sec. 17. acceptable ID documentation need not eliminate risk- tiering. In Myanmar, ID requirements are graduated, but acceptable ID documentation is limited for all tiers to of ID documentation. However, this was reduced the national ID document, driver’s license, passport, or to two (the national ID document and passports for SIM registration. In CDD as in other domains discussed foreigners) by the Ugandan telecoms regulator in in this paper, the extent to which requirements are early 2017 because of security concerns and the wider followed in practice is open to question. Enforcement 75 availability of ID documentation.76 Several challenges capacity should be an important element to consider remain with the reliance on universal biometric when determining CDD rules. identification, including the reach of the technology to unbanked populations and underserved areas, The quality and ubiquity of the ID system is also the accessibility of ID databases to financial services important. Governments are increasingly investing in providers, and the costs of using these systems universal ID documents, databases, and biometrics (unless provided at very low cost, as in India). as the practice of checking databases (eKYC) rather than hardcopy documents grows (see Box 6). Some The benefits of advances in ID systems may new systems (India and Pakistan) cover the great obviate the need to accept a broad range of ID majority of the population and are approaching documentation, but not necessarily the need universal coverage. In Uganda, the enhancement of for tiered account structures. The latter are still ID systems has coincided with a toughening of ID required in many countries because of other requirements for KYC. In 2013, the Mobile Financial requirements applicable to standard CDD, such as Services Guidelines allowed for seven different types residential address verification. 72 Small-value accounts have a balance ceiling of Rs. 50,000 (US$774). The bank accounts thus established can be used for PPIs, but only of the semi-closed-loop type (i.e., not equivalent to e-money) (RBI Master Direction, KYC [2016], sec. 3, 16, 22–24; RBI Master Circular, Pre- paid Payment Instruments [2016], sec. 6–7). 73 Bank of Ghana, Guidelines for E-Money Issuers in Ghana (2015), sec. 15. 74 Otherwise, reporting entities for AML/CFT purposes (e.g., regulated institutions and public companies) may use a simplified CDD process for customers in low-risk categories. Reglement n° 08/2016 DU 01 /12 / 2016 Régissant Les Émetteurs de Monnaie Électronique, art. 11. 75 In practice, many clients (e.g., in Tanzania) have managed to open e-money accounts with virtually any document. 76 The switch relates to MFS, thus affecting DFS, but not other financial services. The deadline was later extended to August 2017 to give providers sufficient time to re-register clients. Many people still needed ID documents at the time. Allowance was made for refugees, who could use an official ID from the Office of the Prime Minister. 27 3.4 Summary of experience 2015). First, the use of agents provides a first line of defense in case any problems occur. But The following general patterns emerge from the they sometimes misinform or defraud customers. countries’ experience with risk-based CDD: Second, technological interfaces make convenient access possible. Yet this comes at the cost of • The countries simplify CDD for lower-risk transactions, increasing dependence on their reliability and on per FATF guidance, but vary in their approaches. The users’ understanding of technology—factors that most common approach is to implement tiered CDD/ can pose special challenges for less experienced KYC requirements for different types and scales of customers. Third, longer and more complex value clients, accounts, and transactions. However, in some chains increase the number of entities involved in countries the tiered account structure applies only serving customers. This can create confusion about to a special type of DFS account (e.g., branchless who is ultimately accountable and where customers banking accounts in Pakistan), which risks creating can seek recourse. These factors underline the an uneven playing field between different types of importance of consumer protection in DFS markets. channels or accounts used. • Several countries have translated FATF standards on In this section, we cover the following essential risk-based CDD into specific regulatory requirements components of the fourth enabler: and tiers. Others have simply incorporated the FATF standards into regulation without providing more • Consistent, comprehensive, targeted consumer guidance. In the latter situation, providers sometimes protection rules for DFS. Frequently, only general hesitate to use the allowed flexibility, and instead or patchwork rules exist without clear adaptation follow a risk-averse, cautious approach. to DFS needs. • While there has been a trend of increasing the range • Rules on transparency and market conduct in of accepted ID documentation for lower-tier accounts providers’—and their agents’—dealings with to reduce barriers for people without identification, customers. the extent to which this wider acceptance is still • Requirements for providers to establish systems for needed depends on the quality and ubiquity of the handling customer complaints. ID system and the accessibility of ID databases. • Standards of service availability and/or digital • The countries diverge notably in their platform reliability that balance protection of accommodation of account opening at agents or customers and irrevocability of transactions. remotely/electronically (nonface-to-face), both of which are subject to specific FATF guidance. Scope and consistency of 4.1  A few countries make use of advanced biometric consumer protection rules ID systems to allow for e-KYC (India and Pakistan stand out in this regard) and have thus been able The complexity of DFS poses a challenge for to make remote account opening much simpler financial consumer protection. Several bodies despite the potentially higher AML/CFT risks. of law and regulation intersect. But for FCP to be effective for DFS clients, the legal/regulatory Enabler 4: Consumer 4  framework must cover all relevant providers, protection channels, and products—and do so consistently. Effective consumer protection is key to the Although the countries in our study have not credibility of DFS as a pillar of inclusive finance. achieved this goal yet, they are making inroads. Regardless of whether FCP must be fully in place To address the priority of getting the DFS market before DFS can spread, it is a necessary ingredient on its feet, regulators in these countries have been in a sustainable, well-governed market. focusing on issues related to the first three enablers. Meanwhile, regulators have relied on existing FCP Three characteristics of DFS models affect consumer norms. Typically, limited (and often belated) attention risks (McKee, Kaffenberger, and Zimmerman has been given to FCP issues specific to DFS. Where 28 Table 6. Consumer protections in DFS Rules, coverage Disclosure rules: Key terms, forms Complaints Bangladesh General and institution- -  Customers must be notified of charges Banks/financial institutions and -  specific: Banks and regulated and fees, changes of terms and PSPs shall establish formalized financial institutions, PSPs, conditions, value-added services complaint procedures; the same electronic fund transfers Transparency in all terms and -  applies for EFTs (EFTs), agents conditions relating to all banking All financial institutions: Zonal -  products and services customer service and complaints -  All regulated financial institutions management cells deal with all must have a Customer Charter in each complaints received directly from branch customers -  Dispute resolution mechanisms should Customer can register complaint -  be part of the contract agreement with central bank Ghana Activity-specific rules: EMIs -  Display fees and service charges - EMI to have a functional dispute and agents - Bank of Ghana provides standard and complaints resolution desk summary sheet -  Right of appeal to Bank of Ghana - Risk information provided to customers - 40 days to file complaint; - Specify minimum contract content and resolution within 5 days written agreement India Institution-specific rules: -  Interest rates, fees, and charges to be Grievance machinery required for -  Banks, payment banks, disclosed via website, branches, help- banks, payment banks, PPI issuers PPI issuers, mobile line or help desk Option to appeal to Banking -  banking, agents (business Contracts should be easily understood; -  Ombudsman correspondents) product price, risks, terms, and conditions to be clearly disclosed Pakistan Activity- and institution- -  Banks required to publish their Banks must have a consumer -  specific: General rules for all schedule of charges for branchless redress cell and centralized banks (commercial, Islamic, banking activities quarterly complaint management system and microfinance banks) -  All contracts shall clearly specify that Receiving and processing a -  and specific rules for banks the bank is responsible for agents’ acts complaint should not take more offering branchless banking; or omissions than 7–10 days (depending on its agents nature) Rwanda General and institution- -  Institutions shall define standards for Financial institutions, EFT -  specific: EFT providers, responsible pricing, transparency; providers, PSPs, and EMIs to have EMIs, PSPs, banks and other disclosure is duty of financial institution complaint procedures financial institutions, agents and agent Right of appeal to senior -  -  EMI must submit a copy of the management of the institution or standard customer service agreement the National Bank of Rwanda, or to the National Bank of Rwanda other body authorized. Tanzania Institution-specific rules: Full disclosure of relevant information -  PSP to establish consumer redress -  PSPs, agents such as pricing, charges, and fees plan with adequate resources Terms and conditions should be fair, -  Appeal to competition commission -  legible, and understood by the client or communication authority Redress within a reasonable time -  and no later than 30 days Uganda General rules: All regulated - Fees, charges, penalties, and any other - Mobile money providers: Effective financial institutions and their consumer liability or obligation to be procedures to be in place agents disclosed - Banks to train agents in complaint Specific rules for mobile - Customers should be able to access handling money providers fees through their phones -  Response within 60 days -  Written contract is mandated 29 such rules have been adopted, they usually have been activity- or institution-specific rather than Box 7. The lag between DFS development and FCP reform comprehensive and uniform. Despite this, the majority The speed of DFS development, along with reforms of DFS markets in the countries studied have thrived. to the first three enablers, tends to leave in its wake a Our assumption in presenting FCP as an enabler is range of “catch-up” work to fill in and harmonize FCP that, as in other financial services markets, the lack of standards. In Côte d’Ivoire, for example, disparate consumer protection rules are embedded in banking, effective consumer protections poses significant risks microfinance, payments, e-money, and e-commerce to vulnerable consumers as well as to the medium- to legislation.a The same agent may handle mobile long-term stability and integrity of the DFS market. money accounts (for bank and nonbank issuers), bill payments (for PSPs), and OTC transfers (for banks)— each of which is subject to different FCP rules. FCP rules relevant for DFS may be embedded in general consumer laws, FCP legislation or Similar issues arise in Ghana, where a comprehensive framework for consumer recourse applies to all guidelines, banking regulations, or regulations on financial services providers (including EMIs).b But payments or e-money. The result tends to be an the framework for disclosure is more fragmented, uneven patchwork of regulation. (See Table 6 for an with a specific regulation on credit products overview of DFS consumer protection frameworks.) (other than credit cards)c and disclosure provisions included in the e-money guidelines (but no rules specified for savings products). Protections against General FCP rules are set in banking laws and error and fraud in payments services are insufficient. regulations in several of the countries studied. These There is a significant push underway in Ghana to address these issues, and both WAEMU and Côte apply in some form (that may not always be clear) to d’Ivoire are reforming their FCP framework. DFS providers that are licensed or authorized by the a. The financial services regulations are issued by WAEMU, banking regulator or that handle banking products. which is also encouraging member countries to set up Usually, there are also specific rules by institution or financial sector ombudsman institutions. See Meagher (2017). b. The Consumer Recourse Mechanism Guidelines for function, such as those applying to EMIs or the use Financial Service Providers (2017). of agents. For example, Uganda applies its Financial c. The Disclosure and Product Transparency Rules for Credit Products and Services (2017). Consumer Protection Guidelines to all types of regulated financial services providers and their agents, and additional FCP provisions are incorporated into Separate FCP rules for different providers or services its Mobile Money Guidelines. Bangladesh takes a may produce gaps, loopholes, and regulatory arbitrage. similar approach, providing general guidelines for This situation may pose less of a risk in markets where all regulated financial institutions and more specific banks dominate the DFS sector. (However, this rules for MFS. approach may not be preferred for other reasons). India, for example, has a consumer charter that states In other cases, there is no comprehensive FCP broad FCP principles that apply to the banking sector, framework. Kenya, for example, has incorporated including payments banks.77 In general, however, there consumer guidelines in the prudential standards for is a clear case for a harmonized approach to defining banks, but these do not apply to PSPs. Rwanda does FCP rules for DFS. The first step in achieving this is to not have a general FCP law, but DFS-specific FCP rules ensure that the financial regulator exercises authority are incorporated in the regulations on EMIs (2016). over FCP. A second goal is to adapt general FCP Similarly, in Tanzania, there is no FCP regulatory standards to the specific needs of DFS customers and framework that covers the whole financial sector, but ensure that all types of providers and channels are specific rules are included in the National Payments covered. It is also critical to require, as many of the 10 System Act and in regulations on e-money (2015) and countries do, that financial services providers ensure agent banking (2017). Côte d’Ivoire and Ghana follow compliance with FCP standards when they deliver their a similar fragmented approach (see Box 7). services through agents. 77 The Charter of Customer Rights provides model principles to be incorporated by banks into their board-approved policies and monitored by the central bank (https://rbidocs.rbi.org.in/rdocs/content/pdfs/CCSR03122014_1.pdf). The Charter applies to payments banks in the absence of specific regulatory provisions for the latter. 30 FCP rules are mostly concerned with transparency, Kenya and Tanzania, the provider has an affirmative duty recourse and complaints handling, and service delivery to notify the customer of the terms of an impending standards. Each of these will be discussed in turn. As transaction.79 Kenya reinforced this duty in 2016, discussed in Section 1, fund safeguarding rules are when its Competition Authority ruled that all financial another important measure to protect customers. services providers that use digital channels must present consumers full information on costs, before they use the 4.2 Transparency service, on the same screen on which the consumer is transacting (Mazer 2016). Uganda requires providers to Transparency rules relate to the disclosure of disclose charges to clients via mobile phone (without terms, use (and content) of consumer agreements, specifying how this would be done on a feature phone), and application of these standards at points of and to provide a copy of the agreement being entered service, including agents. at the time a mobile money account is opened.80 Post-transaction notifications may also be mandated. Disclosure includes general information about Several countries (Ghana, Uganda, Myanmar) require services and products, and specific information the financial services provider or its agent to provide a about individual transactions. These requirements confirmation notice to clients for each transaction. These appear in regulations specific to payment services must include information such as the type and amount and e-money/mobile money—and in most cases, they of the transaction, the fees charged, the transaction also appear in general FCP rules. reference, and details of the recipient of an outbound transfer or the sender of an inbound transfer. The countries studied require providers to post general information on products, including fees, commissions, A minority of the 10 countries (Uganda and Ghana) and other costs. Several countries (Ghana, Kenya, require providers to explain key terms and conditions Pakistan) require this information to be displayed to the client before the client signs a contract.81 In physically in main offices and at branches and agent Côte d’Ivoire, WAEMU regulations require that the locations. Alternatively (or additionally), the rules may conditions for the use of payment instruments and require such information to be published through accounts be clearly explained to the customer at the widely used media such as the internet or newspapers time the account is opened, and that they also be with broad circulation. Internet disclosure, for example, incorporated into the agreement.82 is required in India and Bangladesh. 78 While this will become more relevant with increased smartphone DFS regulations in most of the countries studied adoption, many consumers either (i) are unable to do not stipulate a standard disclosure format. An access terms posted on the web through their mobile or exception is the Bank of Ghana’s issuance of a computers or (ii) find it inconvenient to do so (because standard summary sheet for use in disclosure of they would have to switch to another device to find e-money account terms. A related requirement has the information). Providing summary terms through to do with the predictability of terms and conditions, commonly used channels such as SMS would address including charges. Some of the countries address the latter point (Mazer and Fiorillo 2015). this in regulation—Uganda, for example, requires a minimum of 30 days’ notice of any changes.83 In addition, some of the countries studied require providers to take positive steps to ensure that customers Often, the minimum content of general disclosure are informed of specific terms and conditions. Thus, in is defined. Typically, this includes at least a list of 78 India: Policy Guidelines on Operation of Prepaid Payment Instruments, sec. 14; Model Customer Rights Policy, art 2; Business Correspondent Guidelines, art. 9. Bangladesh: Guidelines for Consumer Services and Complaint Management, arts. 2.05 and 2.09. 79 Kenya: National Payment System Regulation 2014, art. 37. Tanzania: National Payment System Act 2015, art. 51; Electronic Money Regulations 2015, art.44. 80 Mobile Money Guidelines, Part II. 12.b. 81 Uganda: Mobile Money Guidelines, Part II. 12.b. Ghana: E-money Guidelines sec. VI.27 82 Payments Regulation 2002, art. 15. Côte d’Ivoire’s national E-Commerce Law (2013) provides standards on advertising, offers, contract provisions, transparency of prices, and disclosure of identifying information on the seller of goods and services. 83 Mobile Money Guidelines, Part II. 12.b. 31 fees and charges, but it may also include other (in effect, representing both sides of the transaction) information such as the principal’s liability related and require agents to post a statement to that effect.84 to the service (Pakistan), the terms and conditions In some cases, agents must post information on where of the service (India and Tanzania), the customer to file complaints (see Section 4.3). charter (Bangladesh), and general information on the risks of products and services (Ghana and India). Although this analysis focuses on the foundations of FCP in the DFS field, it is clear that regulations Most of the 10 countries studied apply some form of on transparency also touch on “next generation” contract standards to DFS providers. Several require issues of market conduct—for example, requiring a written contract (which may be electronic, e.g., in prior disclosure of certain actions. Two further Côte d’Ivoire, Ghana, and Myanmar), and some also aspects of market conduct are nevertheless worth mandate (or prohibit) certain contractual provisions. mentioning here, given their importance for FCP There are a few countries (including India and and the overall credibility of DFS: data protection Tanzania) that require contracts to be in clear, simple and fraud mitigation rules (see Box 8). language. In a few other countries, the customer must be given a copy of the draft contract to review (Côte Customer recourse and 4.3  d’Ivoire) or a copy of the signed contract to keep complaints handling (Uganda). Standard customer agreements may need regulatory approval (Rwanda), although this does not Increasingly, financial sector regulators are requiring appear to be formally required in most countries. providers to establish a mechanism for receipt and handling of customer complaints. All 10 countries studied All the countries studied have rules on the display of incorporate this principle into regulation and apply it in the agent’s identification, name (and often the phone some form to DFS. As with other FCP components, this number) of the principal, and charges and fees for one is covered in different legislative texts, whether on different products and services. Most countries forbid the banking, e-money, payments, or consumer protection. agent to alter the principal’s fee schedule or to charge The treatment of this issue appears consistent across additional fees, and many require agents to post written most of the 10 countries studied, but the potential for notice that they are not allowed to charge extra fees. gaps and conflicts does arise. WAEMU, for example, has Ghana and Uganda, moreover, expressly prohibit the such a provision in its e-money regulation but not in its agents’ conducting transactions on behalf of the client banking or payments legislation.85 Box 8. Protecting client data and controlling fraud Data protection and fraud mitigation could be as to how much confidence should be placed in the considered “next generation” FCP issues, but they protections adopted. are becoming increasingly salient as DFS markets DFS regulation must address DFS’s susceptibilities to develop. In both areas, controls are being developed, fraud. Providers are generally held liable for loss or but are often not (yet) consistent or comprehensive. harm from fraud (unless due to the negligence of the Collection, storage, and analysis of client data are customer), and some countries require active steps critical to the evolution of DFS models, especially to mitigate fraud. Bangladesh, for example, shields those involving credit. Most countries require customers from liability for losses caused by the fraud or financial services providers to keep client information negligence of PSP officers or agents, companies involved confidential and, in some cases, to ensure that their in networking arrangements, and merchants linked agents do so as well. Uganda, for example, requires to the card or other communication system. WAEMU the provider to disclose to the client (before entering requires that such a liability provision be written into an into the agreement) the conditions under which client e-money account agreement. In Pakistan, branchless data are kept Some countries, but not all, require prior banking providers must institute customer awareness customer consent for the use of such data. Recent programs about fraud, and prevention must include the breaches of financial data security raise questions blacklisting of agents that have been involved in fraud. 84 Ghana: E-money Guidelines VI.27, Agent Guidelines V.21 and 22. Uganda: Mobile Money Guidelines, Part II. 12.a and 12.b. 85 WAEMU member countries such as Côte d’Ivoire are committed to establishing comprehensive financial ombudsman institutions based on a regional model—a step in the direction of harmonization across the financial sector. 32 The content of regulations dealing with complaints minimum period (often six years, as in Ghana), and varies. Several countries (India, Myanmar, Kenya, report data on complaints and resolutions to the Tanzania) require providers to have effective or adequate regulatory authority. complaint mechanisms. Many specify that the procedures should be easy to use and the information for customers 4.4 Service delivery standards easy to understand. Most of the countries require DFS providers to accept complaints in person, on the DFS operates on the premise that access to digital phone, or by email—and to provide customers with the connections and transaction services should be appropriate contact information. WAEMU regulations continuous and largely free of interruption. Thus, a state that complaints systems must be accessible through majority of the 10 countries studied have a general multiple communication channels—to both customers requirement of service availability. Only a few countries and merchants/payees.86 Given the importance of agents specify a threshold—for example, Ghana requires for customer-facing interaction, most of the countries EMIs to ensure 99.5 percent service availability, direct agents to provide information about complaints with any disruption (actual or anticipated) promptly handling. Ideally, consumers should be able to access communicated to customers, while Uganda sets a floor the redress system through a toll-free phone number, in of 95 percent system uptime.89 Côte d’Ivoire and Pakistan person, and by written communication, as well as through have a general requirement of consistent availability. the channels available for the product in question (e.g., There is little evidence as to how these requirements SMS, USSD, and web). have been implemented and enforced in practice. The internal details of how the complaints unit Regulators wish to ensure speed and reliability. Thus, responds to complaints received are not addressed by several countries require providers to have a digital regulation in most of the 10 countries studied (except platform that meets minimum quality and security in Ghana and India). In most of the countries, the standards. Rwanda, for example, expressly states regulator has fixed a maximum turnaround deadline the provider’s liability for any damages suffered by for provider responses in each stage of the complaint a consumer due to the provider’s failure to comply process. In Ghana and Tanzania, complaints must with reliability standards. Similarly, in Bangladesh, a be tracked, with receipts (complete with reference PSP is liable to its customer for a loss caused by the numbers) issued to the complainant. 87 failure of an electronic funds transfer (EFT) system to complete a transaction accepted by a terminal in In addition, all 10 countries designate an appeal route accordance with the customer’s instruction. Kenya for complainants, either to the financial regulator (the exempts the provider from liability for nonexecution majority), to the competition or telecom regulators of payments in limited circumstances and, otherwise, (sometimes as an alternative to the financial regulator, as requires it to correct any such failure without delay.90 in Tanzania and Rwanda), or to an ombudsman.88 India Such provisions are typically found in regulations on adopted a Banking Ombudsman Scheme (2006), under payments or on electronic transactions/EFT. which complaints and appeals are received. Pakistan did so as well, but its scheme covers only microfinance and DFS regulation must balance the need for certainty— Islamic banks. An ombudsman scheme is also being set irrevocability—in transactions against the need to up in WAEMU (where national financial ombudsman allow for correction of mistaken or unauthorized institutions are called observatoires). transactions. A component of this is for providers to ensure speedy resolution of such mistakes (ideally Most countries require providers to keep track of before recipients withdraw funds) by directing complaints, retain complaints documentation for a queries to a call center team dedicated to this task. 86 This requirement is stated in the BCEAO e-money instruction (art. 30), but not in the rules on OTC transfers. 87 Ghana: E-Money Guidelines VI.27. Tanzania: Mobile Banking Transactions, Annex III. 88 In addition, the courts might be another option for appeals, but their usefulness and effectiveness to the consumer varies widely. 89 Ghana: E-money Guidelines VI.27; Uganda: Mobile Money Guidelines, Part II. 6.a.iv. 90 Rwanda: Electronic Transactions Law. Art. 51. Bangladesh: Regulations on Electronic Fund Transfer 2014. Arts. 5, 8–12. Kenya: National Payment System Regulation 2014. Part II.15, 28 33 A majority of the 10 counties studied have regulatory have institution- or product-specific FCP rules provisions in this area. In some cases (Myanmar), rather than comprehensive rules. The framework providers have a general duty to inform customers of the of rules ideally should cover all relevant channels risks of mistake or loss, and to notify them of their rights and providers in a consistent manner. DFS should and responsibilities. In other countries, the rules specify be subject to general FCP rules and more specific how and under what conditions customers may demand rules targeted to DFS (e.g., e-money, payments, the revocation of a transaction. For example, in India, delivery via agents). To date, the countries studied banks that offer mobile banking services must notify have fallen short of this standard. customers of the timeframe and the circumstances in which any stop-payment instructions can be accepted. Conclusion Kenya has a similar rule for PSPs that provides that a transfer can be revoked only in line with the dispute We have analyzed how the countries in the resolution protocols formally established by the PSP. study have addressed the basic enablers in their (Bangladesh follows a comparable approach.) Pakistan regulatory frameworks for DFS. What are the requires these issues to be stated in the customer lessons of their experience? agreement, along with the contact information for customers to report unauthorized transfers. In case The importance of the four basic regulatory enablers is of dispute, both Pakistan and Bangladesh place the consistently established in research and policy discussions. burden of proof on the provider to show that a disputed There is wide agreement that the enablers are necessary transfer was authorized by the customer. (but not sufficient) for DFS to reach its potential and achieve long-term sustainability. Experience indicates In the countries studied, regulators have established that that uptake is greater when at least three of the basic digital payments are irrevocable unless the receiving enablers are in place than in their absence, but showing party consents to the return of the money. Irrevocability a strict causal relationship is difficult for several reasons.91 sometimes depends on the availability of a validation There is less evidence that the fourth enabler—consumer protocol that allows senders to confirm the recipient protection—is a necessary condition for markets to take before sending a transfer. Clear prior disclosure of the off. However, consumer protection issues need to be parties’ rights and responsibilities is critical in any case. addressed to guarantee the healthy development of markets as they mature. 4.5 Summary of experience This research provides comparative case study analyses The following general patterns emerge from the that can serve to inform discussion and guide policy 10 countries’ experience in this area: development. The country experiences show that each country has used its own approach to set up • Convergence exists on regulations governing matters the enablers. They demonstrate the ways in which such as required disclosures, complaint handling, and an activity that is at least superficially simple for the irrevocability of transactions, although details vary and user must be engineered through detailed regulatory there is still substantial room for adopting international measures that take into consideration each country’s standards or good practices from other countries. contextual foundation. That context is formed by the • Remaining areas of divergence exist with respect influences of the market, the political economy, the to establishing standard disclosure formats and broader regulatory system, the level of technological financial ombudsman institutions. development and innovation, and cultural and historical • Piecemeal regulatory development produces experiences. In the end, the rules that govern DFS often inefficiencies and other challenges. Most countries inhabit different bodies of legislation and reflect the 91 First, whether any one of the enablers is in place is not a binary, yes-no question, as each of them comprises a range of key regulatory decisions. Second, regulation is only one, albeit important, element of the DFS ecosystem (and perhaps more readily identified as a contributor to failure than to success). Third, our sample of countries is too small and idiosyncratic to measure or attribute outcomes with any rigor. Last, regulatory changes are in many cases too new to have had full effect, and the absence of other sufficient conditions poses a constraint. For examples of an approach to build an index of the regulatory environment for financial inclusion and derive overall country scores, see EIU (2016) and Rojas-Suarez and Pacheco (2017). Such an approach comes with its own challenges, which are not discussed here. 34 historical evolution of financial sector legislation. Going including policies in such areas as competition and forward, there needs to be a clearer and more consistent interoperability, play a role in shaping DFS access. set of rules that govern each of the four enablers. Ultimately, the quality of the regulatory framework Our research shows patterns that help explain results. depends at least as much on the capacity of policy Few areas in a regulated economy can truly be makers and regulators as on the content of the rules. described as “build it and they will come.” This appears The demands on regulators have grown. The rise of especially true of DFS. The spectacular successes in cryptocurrencies and FinTech innovations pose new a country such as Kenya probably owe more to an questions that regulators are struggling to answer. aggressive first mover dragging the market and the With these other priorities claiming attention, policy regulators along with it than to a systematic process of makers and regulators are not always tightly focused a priori framing. Regulatory frameworks in some other on enabling digital financial inclusion. countries considered here reflect a similar dynamic. Often, as with regulation permitting nonbank e-money Yet there does appear to be a collective learning issuance, there is a build-up of pressure by prospective process. This happens both within and across countries players, but the market cannot operate until either as the frontier of good practice moves outward and the rules are in place or the regulator issues a “no demand grows for peer countries to share the lessons of objection.” In other areas, such as FCP, rapid market experience. Some of the 10 countries studied (Myanmar) development leaves gaps that allow risks to accumulate have only recently adopted specific regulations for DFS until policy makers and regulators can provide a and have been able to learn from the earlier experience patch—or craft a more comprehensive solution. of other countries. Others (Ghana) can look back on many years of experience with DFS regulation and learn As for the individual enablers, some broad insights arise from past mistakes. Still others (Pakistan) have been able from the study. Experience from the African countries to improve their regulatory framework gradually over shows the importance of EMIs in the first enabler. Even in time. In general, piecemeal approaches have yielded those countries that have not set up a separate licensing patchwork regulation, but recent years have seen more framework for e-money issuance, nonbanks have found consistent, systematic approaches. Thus, as we have other ways to play a leading role in DFS by acquiring tried to show here, evidence is at hand to guide policy or setting up banks (Pakistan) or taking advantage of makers in creating a framework that truly enables DFS the license of their parent bank (Bangladesh).92 The and allows regulators to focus their attention on the second enabler, the use of agents, seems to be the most areas of highest risk. consistently observed in practice. In all 10 countries, the liability of the principal for its agents’ actions is a key References tenet that allows the regulator to focus its attention on the principal. In most cases, there is substantial flexibility Alliance for Financial Inclusion (AFI). 2016. “Digital Financial Services: Basic Terminology.” Guideline Note (as there should be) regarding who can be an agent. The No. 19. Kuala Lumpur: AFI, August. third enabler, risk-based CDD/KYC, is strongly influenced Arabehety, Pablo Garcia, Gregory Chen, William by the desire to comply with FATF guidance. The shift Cook, and Claudia McKay. 2016. “Digital Finance toward risk-based rules at global and national levels, Interoperability & Financial Inclusion: A 20-Country Scan.” combined with ID system developments, is starting Working Paper. Washington, D.C.: CGAP, December. to allow for more flexible DFS outreach. Consumer BCBS (Basel Committee on Banking Supervision). 2016. protection, the fourth enabler, comes into the picture “Guidance on the Application of the Core Principles for Effective Banking Supervision to the Regulation and rather late, and has a less obvious role in jump-starting Supervision of Institutions Relevant to Financial Inclusion.” DFS markets. But its importance for safety and trust- Basel: BCBS, September. building, which are crucial for long-term sustainability of Burjorjee, Deena, and Barbara Scola. 2015. “A Market DFS, is increasingly recognized. In all this, one must bear Systems Approach to Financial Inclusion: Guidelines for in mind that other conditions besides these enablers, Funders.” Washington, D.C.: CGAP, September. 92 The Indian experience of awarding a limited purpose banking license (a payments bank license) is still relatively recent and it remains to be seen whether the fact that payments banks are a type of bank allows for similar flexibility and market take-off as an EMI license. 35 CGD (Center for Global Development). 2016. “Financial ITU (International Telecommunication Union). 2017. Regulations for Improving Financial Inclusion: A CGD Task “ITU-T Focus Group on Digital Financial Services: Main Force Report.” Washington, D.C.: CGD. Recommendations.” Geneva: ITU, March. CPMI (Committee on Payments and Market Infrastructure) Izaguirre, Juan Carlos, Tim Lyman, Claire McGuire, and and World Bank Group. 2016. “Payments Aspects of Financial Dave Grace. 2016. “Deposit Insurance and Digital Financial Inclusion.” Basel: CPMI and World Bank Group, April. Inclusion.” Brief. Washington, D.C.: CGAP, October. Dias, Denise, and Stefan Staschen. 2017. “Data Collection Lyman, Timothy R., Gautam Ivatury, and Stefan Staschen. by Supervisors of Digital Financial Services.” Working 2006. “Use of Agents in Branchless Banking for the Paper. Washington, D.C.: CGAP. Poor: Rewards, Risks, and Regulation.” Focus Note 38. Washington, D.C.: CGAP, October. Dias, Denise, Stefan Staschen, and Wameek Noor. 2015. “Supervision of Banks and Nonbanks Operating through Lyman, Timothy R., Mark Pickens, and David Porteous. 2008. Agents: Practice in Nine Countries and Insights for Supervisors.” “Regulating Transformational Branchless Banking: Mobile Working Paper. Washington, D.C.: CGAP, August. Phones and Other Technology to Increase Access to Finance.” Focus Note 43. Washington, D.C.: CGAP, January. de Koker, Louis, and John Symington. 2011. “Conservative Compliance Behavior: Drivers of Conservative Compliance Malady, Louise, Ross Buckley, and Cheng-Yun Tsang. Responses in the South African Financial Services Industry.” 2015. “Regulatory Handbook: The Enabling Regulation of Cape Town: CENFRI. http://dro.deakin.edu.au/view Digital Financial Services.” UNSW, December. /DU:30039928 Mas, Ignacio. 2015. “Shifting Branchless Banking di Castri, Simone. 2013. “Mobile Money: Enabling Regulation from Enabling to Fostering Competition.” Regulatory Solutions.” London: GSMA, February. Banking & Finance Law Review, Vol. 30, No. 2. EIU (Economist Intelligence Unit). 2016. “Global Mazer, Rafe. 2016. “Kenya Ends Hidden Costs for Microscope 2016: The Enabling Environment for Financial Digital Financial Services.” Blog post, 2 November. Inclusion.” New York, NY: EIU. http://www.cgap.org/blog/kenya-ends-hidden -costs-digital-financial-services Evans, David, and Alexis Pirchio. 2015. “An Empirical Examination of Why Mobile Money Schemes Ignite in Mazer, Rafe, and Alexandra Fiorillo. 2015. “Digital Credit: Some Developing Countries but Flounder in Most.” Consumer Protection for M-Shwari and M-Pawa Users.” Chicago: University of Chicago Coase-Sandor Institute Blog post, 21 April. http://www.cgap.org/blog/digital- for Law and Economics. credit-consumer-protection-m-shwari-and-m-pawa-users FATF (Financial Action Task Force). 2012. “International Mazer, Rafe, and Philip Rowan. 2016. “Competition Standards on Countering Money Laundering and the in Mobile Financial Services: Lessons from Kenya and Financing of Terrorism & Proliferation—The FATF Tanzania.” Washington, D.C.: CGAP, January. Recommendations.” Paris: FATF, February. ———. 2013. “Guidance for a Risk-Based Approach: McKee, Katharine, Michelle Kaffenberger, and Jamie M. Prepaid Cards, Mobile Payments and Internet-Based Zimmerman. 2015. “Doing Digital Finance Right: The Payment Services.” Paris: FATF, June. Case for Stronger Mitigation on Customer Risks.” Focus Note 103. Washington, D.C.: CGAP. ———. 2014. “Guidance for a Risk-Based Approach: The Banking Sector.” Paris: FATF, October. Meagher, Patrick. 2017. “Regulatory Framework for Digital Financial Services in Côte d’Ivoire: A Diagnostic ———. 2016. “Guidance for a Risk-Based Approach: Money Study.” Working Paper. Washington, D.C.: CGAP. or Value Transfer Services. Paris: FATF, February. Porteous, David. 2006. “The Enabling Environment for ———. 2017. “FATF Guidance: Anti-Money Laundering Mobile Banking in Africa.” Boston: BFA, May. and Terrorist Financing Measures and Financial Inclusion with a Supplement on Customer Due Diligence.” Paris: Rashid, Naeha, and Stefan Staschen. 2017. “Applying FATF, November. the RIA Lite Methodology: An Example from Pakistan.” Working Paper. Washington, D.C.: CGAP, October. Garcia Arabehety, Pablo, Juliana Fontal Díaz, and Nidia Ruth Reyes Salomón. 2016. “Colombia’s Recipe for 100% Rojas-Suarez, Liliana, and Lucía Pacheco. 2017. “An Index Agent Coverage: Aggregation & Sharing.” Blog post, 9 of Regulatory Practices for Financial Inclusion in Latin May. http://www.cgap.org/blog/colombia%E2%80%99s- America: Enablers, Promoters and Preventers.” Working recipe-100-agent-coverage-aggregation-sharing Paper 17/15. Madrid: BBVA Research. GPFI (Global Partnership for Financial Inclusion). 2016. Tarazi, Michael, and Paul Breloff. 2010. “Nonbank E-money “Global Standard-Setting Bodies and Financial Inclusion: Issuers: Regulatory Approaches to Protect Customer The Evolving Landscape.” Washington, D.C.: GPFI, March. Funds.” Focus Note 63. Washington, D.C.: CGAP. Greenacre, Jonathan, and Ross Buckley. 2014. “Using Tsang, Cheng-Yun, Louise Malady, and Ross Buckley. 2017. Trusts to Protect Mobile Money Customers.” Singapore “Promoting Financial Inclusion by Encouraging the Payment Journal of Legal Studies, 59–78. of the Interest on E-Money.” UNSW Law Journal 40 (4). No. 109 May 2018 Please share this Focus Note with your colleagues or request extra copies of this paper or others in this series. CGAP welcomes your comments on this paper. All CGAP publications are available on the CGAP Web site at www.cgap.org. CGAP 1818 H Street, NW MSN P157-700 Washington, DC 20433 USA Tel: 202-473-9594 Fax: 202-522-3744 Email: cgap@worldbank.org © CGAP, 2018 The authors of this Focus Note are Stefan Staschen, who Veronica Trujillo for extensive research support and Denise Dias, leads CGAP’s work on DFS regulation and supervision, and Xavier Faz, Jeremiah Grossman, and Juan Carlos Izaguirre for Patrick Meagher, a CGAP consultant. The authors wish to thank reviewing this paper. Suggested citation: Staschen, Stefan, and Patrick Meagher. 2018. “Basic Regulatory Enablers for Digital Financial Services.” Focus Note 109. Washington, D.C.: CGAP. ISBN: 978-1-62696-081-7 Foundation Global Affairs Canada