Regulators, Mount Up! Analysis of Privacy Policies for Mobile Money Services

Emerging digital financial services use mobile phones to provide access to populations traditionally excluded from the global economy. These "mobile money" services have proven extremely successful in their first ten years of deployment, and provide a powerful means of raising people out of poverty. Such services have access to a wealth of customer information, potentially including entire purchase histories, geolocation, and social network information. In this paper, we perform the first study of privacy policies in mobile money services, evaluating policies from 54 services and comparing them to 50 policies from traditional financial institutions. Because mobile money services are developed under a wide range of regulatory environments, we compare policies to the industry standard (the GSMA's Mobile Privacy Principles) and to a traditional national standard (the FDIC's Privacy Rule Handbook). Our analysis shows that almost half (44%) of these mobile money services do not have any privacy policy whatsoever. Of the services that do have privacy policies, roughly one-third (33%) fail to provide them in either of the two most common languages of their market. Furthermore, 50% of these policies do not ever identify to the user what data is actually being collected and stored. Finally, we find that where policies do exist, they are often incomplete and diffcult to read by their target customers. These findings show that more work is needed to protect consumer privacy within these mobile money services.