GOOGLE’S POLICY RESTRICTING THE ACTIVITIES OF DIGITAL LOAN APPLICATIONS ON ITS PLAYSTORE IN NIGERIA: A SIGN OF ELEVATED REGULATORY SCRUTINY
From 2020, Nigeria experienced the heighten presence of digital lenders offering collateral free loans to members of the public. This was generally welcomed and qualified applicants took full advantage of the offering.
In recent times, grave concerns have been raised with respect to the practices of many of these digital lenders, as individuals who obtained credit via their digital platform, have experienced extreme harassment by representatives or agents of these lenders. Debt recovery agents have been known to access defaulting borrowers’ and their telephone contacts’ personal information, send defaming messages and expose confidential personal data of such persons to third parties. In more extreme cases, loan companies have utilised manipulated images to further intimidate and distress those in debt. Tragically, it has been suggested that a number of these targeted individuals have succumbed to the pressure and taken drastic, irreversible and sometimes fatal measures.
In 2022, Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC) in an attempt to curb the excesses of these digital platforms, barred all financial technology companies from providing payment or transaction services to online money lenders known as ‘loan sharks’ and shut down some illegal online money lenders.[1]
GOOGLE’S POLICY RESTRICTING DIGITAL LOAN APPS ON PLAYSTORE
To ensure the data privacy of consumers and users on its platform, Google, the search engine giant, released a Policy on the 5th of April 2023, on its Play Store[2], restricting loan applications from accessing their clients’ external storage, photographs, videos, contacts, precise location, and call logs. The change came into effect on the 31st of May 2023. This policy states that “Apps that provide personal loans or have the primary purpose of facilitating access to personal loans (i.e., lead generators or facilitators), are prohibited from accessing sensitive data, such as photos and contacts.”. This Policy mandates digital money lenders in Nigeria, India, Indonesia, the Philippines, and Kenya to conform with this policy or face removal from the Google Play Store.
GENERAL DISCLOSURE REQUIREMENTS OF THE POLICY[3]
According to the Policy, Applications that provide personal loans must disclose the following information in their “metadata”, i.e., the fields filled with information about the application:
1.The minimum and maximum period for repayment.
2. The maximum Annual Percentage Rate (APR) which must include interest rates plus the fees and other costs for a year.
3.A representative example of the total cost of the loan, including the principal amount, interest, and all applicable fees.
4.A privacy policy that discloses in its entirety the access, collection, use and sharing of personal and sensitive user data, subject to the restrictions in the Google rules.
Restrictions[4]
Under the updated policy, applications that require the full repayment of loans in 60 days or less from the date of issuance cannot be listed on the Google Playstore. Also, applications that provide or facilitate access to personal loans are prohibited from accessing sensitive data such as photographs and contacts. This prohibition covers access to customer’s external storage, images, contacts, location, telephone numbers and media videos.
RULES SPECIFIC TO NIGERIA[5]
In addition to the above, digital money lenders in Nigeria are obliged to comply with the following requirements:
- Completing a personal loan application declaration form which requires the digital lender to confirm the submission of a Digital Money Lenders (DML) application and the receipt by the lender of full approval or conditional approval from the FCCPC.
- Compliance by the lender with the Limited Interim Regulatory Registration Framework and Guidelines for Digital Lending 2022 by the FCCPC.
- Loan aggregators must provide documentation and/or certification for digital lending services and contact details for every DML that they ‘partner’ with.
- Any such other additional information or documents as may be requested by the Google Playstore.
THE KEY REGULATORS IN FOCUS
The Nigeria Data Protection Commission (NDPC)
The Data Protection Act 2023 established the National Data Protection Commission. According to Section 5 of the Act, the Commission is tasked with the functions of promoting awareness to Data Controllers and Data Processors of their obligations under the Act and supervising the implementation of the provisions of the Act. Some other functions include advising the government on policy issues relating to data protection and privacy, licensing, accrediting, and registering bodies to provide data protection compliance services and submitting legislative proposals to the Minister, including amending existing laws amongst others.
Before the establishment of the Commission, the National Information Technology Development Agency (NITDA) ,a Federal Government Agency was responsible for the oversight of Data Protection and Data Privacy in Nigeria which issued the Nigeria Data Protection Regulation (NDPR) in 2019 for the regulation of data protection[6] and on the 4th of January 2022, the former President of Nigeria, President Muhammadu Buhari approved the establishment of a new government agency, the Nigeria Data Protection Bureau (NDPB) charged with the responsibility of enforcing compliance with the provisions of the Nigeria Data Protection Regulations 2019.
According to the provisions of the NDPR, the lawful basis upon which Data Processors or Controllers (including digital lenders) can process the personal data of their customers includes the presence of certain elements including the fact that such information was only be collected for a lawful and legitimate purpose and such processing or with the consent of the customer, amongst other grounds. The publishing of names and further details of loan defaulters with third parties serves as a violation of the NDPR and subsequently the new Data Protection Act, 2023.
Breaches of these principles have led to the enforcement action against SokoLoans, a digital loan company that resulted in the imposition of a ₦10,000,000 (Ten Million Naira) fine by NITDA[7]. The fine imposed by NITDA shows the extent to which NITDA could wield its powers to protect data privacy rights. In this case, SokoLoans granted customers uncollateralised loans after they had downloaded its mobile application on their phone. The SokoLoans application could access customers’ mobile phone contacts, and when certain customers defaulted in repayments, spam messages were sent to the mobile phone contacts of such customers. NITDA considered this to be ‘Illegal data sharing without appropriate lawful basis, contrary to Article 2.2 of the NDPR.”
Federal Competition and Consumer Protection Commission (FCCPC)
The Federal Government of Nigeria through the Federal Competition and Consumer Protection Commission (FCCPC) recently approved the operations of 170[8] loan apps out of the 200 apps operating in the country. To strengthen its enforcement actions, the FCCPC in August 2022, released a ‘Limited Interim Regulatory/ Registration Framework and Guidelines for Digital Lending 2022[9]’ to control the digital lending market, enforce registration and make approval a requirement for companies seeking to operate in the space. Subsequently, the Commission commenced the registration of the Digital Money Lenders (DMLs) by an Order and Notice of the Commission. To this end, existing DMLs were required to comply within ninety (90) days, which deadline initially expired on the 14th of November 2022 but was later extended to the 27th of March 2023.
These Guidelines stipulate as follows:
- All Applicants must complete and submit FCCPC Interim Digital Money Lending Guidelines Form 001 (Form DLG 001) which requires that an Applicant must provide the details of the Company such as the identity and nationality of promoters, directors and initial key role players, source(s) of funding, affiliations with any other companies, institutions, or similar businesses.
- Submission of other documents including certified copies of the certificate of incorporation of the Applicant, a description of the business of the Applicant and where relevant, its business groups, name and address of an authorised person within the business, any service level agreements with any service providers, evidence of feedback and complaint resolution mechanism, evidence of tax payments, alongside a completed /signed FCCPC Interim Digital Money Lending Guidelines Form 002 (Declaration for digital money lending businesses in Nigeria).
- It is required that an appointed representative should make certain declarations to be committed to the standards under the Framework for digital money lending business such as:
- The legitimacy of the business, its lawfulness and operating in compliance with any prevailing and applicable laws.
- compliance with all applicable regulatory requirements or approvals for deployment of any technology used for the purpose of business in Nigeria.
- The capital to be invested in the digital lending money business must not have its origin in fraud or from any proceeds of any illegal activity.
- Compliance with third party privacy rights and data including data unrelated to principles of lending as well as recovery practices that are consistent with fair lending principles and provided for under the FCCPA and the NDPR.
- The business operations must comply with the CBN Guidelines on Anti-Money Laundering and combating the Financing of Terrorism (AML/CFT).
CONCLUSION
Google’s policy is a welcome development in the era of collaboration between regulators and leading business enterprises in protecting borrowers from unscrupulous Digital Lenders. It is therefore advised that these regulatory agencies ensure that the approved loan companies adopt all relevant and applicable, legislation, Policies and Guidelines in this respect.
Also, technology companies as well as platforms that provide access to and host digital lending companies, have a responsibility to ensure that they comply not only with the local regulations applicable in their sector but with all applicable international regulations in tandem.
Author : Mary Ajibola – Associate, Lexworth Legal Partners
DISCLAIMER: LEXWORTH LEGAL PARTNERS
This document is intended only as a general discussion on the subject of this article. Please do not regard it as legal advice. We would be delighted to provide additional details or advice about specific queries, if required.
For further enquiries, kindly send an email to m.ajibola@lexworthlegal.com or info@lexworthlegal.com.
FOOTNOTES:
[1] https://businessday.ng/news/article/fccpc-goes-after-digital-money-lenders/
[2] https://support.google.com/googleplay/android-developer/answer/13161491.
[3] https://support.google.com/googleplay/android-developer/answer/13161491.
[4] https://support.google.com/googleplay/android-developer/answer/13161491.
[5] https://support.google.com/googleplay/android-developer/answer/9876821?hl=en
[6] https://guardian.ng/features/individuals-should-have-authority-to-decide-whether-to-share-sensitive-data-legal-experts-argue/
[7] https://nitda.gov.ng/nitda-sanctions-soko-loan-for-privacy-invasion/4914/
[8] https://techcabal.com/2023/04/05/fccpc-approves-173-loan-apps-in-nigeria-continues-suppression-of-illegal-players/
[9] https://fccpc.gov.ng/wp-content/uploads/2022/08/LIMITED-INTERIM-REGULATORY_-REGISTRATION-FRAMEWORK-FOR-DIGITAL-LENDING-2022-1.pdf