Cyber Resilience Must Focus On Marginalized Individuals, Not Just Institutions

Summary

Digital financial services (DFS) offer tangible benefits to consumers and communities, but they also increase exposure to fraud and predatory practices. Global actors, including governments, banks, mobile network operators (MNOs), and development agencies, have belatedly recognized that improving people’s lives requires improving cybersecurity in digital finance. But they must also prioritize boosting the cyber resilience of those who are most vulnerable to DFS-borne harms.

Cyber resilience has traditionally focused on institutions such as banks and financial technology firms. But it must also address the needs of individuals and communities, especially those least likely to rebound from cyber harms. Without cyber resilience, vulnerable individuals exposed to harm will fail to rebound, ultimately driving their exclusion or departure from the digital economy.

This working paper begins by considering the cyber threats faced by Africa’s most vulnerable or marginalized DFS consumers, including rural, low-income, or first-time digital users, and developing a more complete risk profile for these groups. This paper aims to ground discussion of how policies and practices can better support these consumers’ recovery when risk materializes into harm and considers which policies and practices are actively working against the cyber resilience of vulnerable and marginalized consumers. This paper then proposes three actions that could support cyber resilience for these consumers: increasing consumer-centrism in policy and regulatory postures; financial service providers adopting more robust technical protections for vulnerable consumers; and strengthening support for research and information-sharing to expose the unique challenges faced by consumers in emerging markets.

Introduction

Unbanked or underbanked people across Africa have begun to be included in the digital finance system, with over 180 million mobile money accounts in use across the continent in 2021.¹ The use of digital finance has demonstrably bolstered individuals’ resilience against shocks and increased access to channels for savings and credit.² But by entering the digital finance system, individuals put themselves at risk of abuse and malicious exploitation. Mobile fraud is estimated to cost Africans $4 billion every year; Kenya, South Africa, and Cameroon top the list of countries where this type of harm is most prevalent.³ In many countries, the costs of fraud in DFS are borne not just by the financial institutions but also by individuals.

Malicious cyber activities can cause significant harm; SIM swap fraud or account takeovers, for example, can be difficult to avoid or recover from.⁴ These harms affect all users, but they are especially devastating for vulnerable or marginalized groups. Although the fraction of losses borne by vulnerable individuals is small compared to institution-scale security breaches, the impact of losing a day’s or week’s wages is anything but small for an individual who lives day-to-day. In Kenya, for example, a consumer protection study found that it was not uncommon for DFS fraud to be perceived as causing significant losses, frequently surpassing a day’s wages.⁵ In Uganda, low-income women and those living in rural communities were found to be most impacted by risks arising from DFS.⁶ Challenges faced by many marginalized groups—such as lower levels of digital financial skills and literacy or less agency to seek redress when harms occur—contribute to their disproportionate burden.

Marginalized groups are not only impacted differently by DFS-borne harm; they are also increasingly targeted for online fraud and financial abuse or exploitation.⁷ Digital technology multiplies the attack surface available to malicious actors, making so-called smaller-scale criminal activity more lucrative. Consequently, this type of fraud has grown significantly in recent years.⁸

For hundreds of millions of people across the African continent, the capacity to rebound from attacks and continue to safely participate in the digital economy is crucial. Digital technologies can improve individuals’ access to critical services and their ability to maintain their livelihood. These technologies can also help individuals rebound from environmental stressors or humanitarian disasters. As such, maintaining the cybersecurity and cyber resilience of those engaging with the digital economy must be at the forefront of the development agenda.

Aaliyah, a customer in Nigeria, used a poorly protected point-of-sale (POS) terminal, which led to a fraudulent deduction that depleted her savings account.⁹ In Nigeria, where over 40 million people live in rural areas without basic banking services,¹⁰ POS merchants can be critical enablers to increase access to finance because they reach areas traditional banks often do not. But by using this POS terminal to participate in the digital economy, Aaliyah had put herself at risk. Her bank didn’t suffer the loss—she did. While the theft of a relatively small sum might seem inconsequential, for those living in poverty, this consequence of digital financial inclusion can be ruinous.

What Risks Do Vulnerable or Marginalized Groups Face?

As a goal, cyber resilience intends to reduce the overall risk of depending on cyber resources.¹¹ However, the dominant narrative around cyber resilience tends to center on systems instead of the individuals and communities being impacted by these systems. This institution-centered framing is overly narrow and would benefit from expansion to include resilience of individuals, particularly those who are least equipped to recover from the breakdown of system safeguards and protections (in other words, those whose risk profile is ultimately shaped by digital deprivation).¹² By deepening the development community’s understanding of the risks faced by DFS users in emerging markets, it is possible to begin to construct solutions for strengthening their cyber resilience—thereby strengthening their chances for positive participation in the digital economy.

Here are examples of where and how risks currently arise for people in vulnerable or marginalized groups:

– Malicious actors exploit low digital literacy and tech familiarity to defraud DFS users. For example, rural DFS users have been targeted with calls and messages requesting transfer of funds to remedy some fictional overpayment or plausible costs that haven’t actually occurred.¹³ Without adequate awareness in a community of common fraud tactics, their targeting can be highly successful and, therefore, troublingly scalable. This higher risk of exploitation increases the likelihood that those newly using DFS—whether urban, rural, affluent, or poor—will experience harm.

– Lack of affordability of secure hardware and software puts lower socioeconomic groups at greater risk. Low-income users are most likely to use older devices that are no longer supported with regular software update patches, and they are least likely to be willing or able to pay for the airtime to download updates. This elevates the chance that malicious software could take root (such as through the common vector of malware installed in a seemingly benign app) and allow unauthorized access to personal information or accounts.¹⁴ If a user lives in a region with frequent network or power outages, they may need to leave their mobile device with an agent to complete a transaction once service is restored, introducing greater risk of theft or misuse of their device and accounts.

– Even in more tech-savvy groups, confusion about regulations of a rapidly evolving field can be exploited for fraudulent gain. In Ghana, the public lacked sufficient awareness of how a new tax on electronic financial transactions, known as the e-levy, would be collected. Criminals exploited these widespread misunderstandings to convince customers to hand over account information to address fraudulent “tax” charges.¹⁵

– How women experience threats and risks can be markedly different from how men experience them. Establishing trust in DFS may require crossing different thresholds for different genders.¹⁶ For example, data protection measures perceived as sufficient by some might not offer the degree of privacy a woman needs to feel secure in sharing details (such as home address) that could result in her being harassed or physically harmed. And because women often face multiple challenges simultaneously, such as poor digital or financial literacy, lack of access or account ownership, and limited autonomy in financial transactions, they are often overrepresented in high-risk groups.¹⁷ 

– The likelihood of seeking and achieving redress for fraudulent DFS activity is low and likely even lower for vulnerable groups.¹⁸ Financial Sector Deepening Kenya reported that nearly half of mobile money users in Kenya lost money in 2021, primarily through phone fraud, with a quarter unable to recover the funds.¹⁹ Those experiencing fraud already face high odds of having a financial breach fully remedied, but in vulnerable or marginalized groups—which may have more limited trust in formal financial institutions or more limited individual agency due to their social status or education level—this can be exacerbated.²⁰

Other common practices in low-income groups, such as peer-to-peer lending, could prove relatively easy to exploit for fraudulent gain. When allowed to take root, cyber harms can irrevocably damage vulnerable users’ trust in the digital economy, ultimately translating to disengagement and exclusion.

Users in underserved markets often have general patterns of use that don’t conform to the presumed usage patterns for which cybersecurity protocols have been designed. For example, low-income consumers are more likely to use older, unsupported hardware and software and not install necessary security updates due to costly data charges. Low-income or rural users often share a phone among multiple people, diluting the strength of passwords or PINs. Frugal consumers frequently switch out their SIM cards to minimize airtime charges depending on which carrier has more expensive data rates at a different time of day. While these are savvy approaches to maximizing scarce resources in the digital economy, these behaviors compound the risk that a user’s device will be vulnerable to known threats. What’s more, these behaviors often do not match the user profiles for which many security protections are designed. Factoring in more nuanced user profiles reflecting on-the-ground reality for low-income or low-access groups strengthens the cybersecurity a system can claim. Cyber resilience must take a similar approach.

Current Practices That Undermine Vulnerable Users’ Cyber Resilience

The below challenges have the potential to drive people to disengage from the digital economy altogether.²¹ The development of stronger consumer protections can help to ensure that policies meant to engender trust in the digital economy sufficiently account for the number and type of threats users face, whether as a result of fraud or of user exploitation.

Firms’ Actions Encourage Cyber Criminals

Individual users are often a core point of vulnerability. Even with strong technical systems protections in place, the effectiveness of common exploitation channels, such as scams and phishing attempts, come down to how well-equipped a user is to identify and resist attempts at social engineering or defrauding. This is true for all users, but especially so for those who are less familiar with digital tech or those whose native language is not well-incorporated into digital financial tools and services. When firms opt for bare-bones security practices in DFS technology (such as forgoing multifactor authentication or data encryption or taking shortcuts with the assumption that common harms will be avoided by users or that vulnerabilities will be fixed in future software security patches), they are offering an easy target to entice cyber criminals. In Kenya, citizens have increasingly called for telecom companies to bolster the strength of authentication and security measures they use to ensure that the registration and replacement of mobile phone numbers is valid.²²

A historical culture of secrecy around cybersecurity breaches involving financial institutions and telcos has meant that rapidly evolving threats are exacerbated by a lack of awareness and preparedness among these firms. Without up-to-date insight into what fraudulent tactics are most prevalent and need addressing, DFS providers miss opportunities to take action and protect their users. Critically, some threats arise from within DFS firms themselves. Even the most cautious user may not be able to prevent, for example, SIM swap fraud. These insider threats defy many user-initiated protections and often result in a high burden of recovery.²³ System owners must shoulder more of the burden of addressing risks that DFS users face as a result of providers’ actions, or lack thereof.

Existing Regulations Fail to Address Consumer Challenges

Existing government regulations to address fraud and cyber harms often focus on traditional or formal institutions. More informal, less traditional, or smaller-scale needs for redress—whether from individual consumers, groups, or small business owners—frequently fall through the cracks. Regulatory responses within a given country can even depend on whether fraud occurred via channels of credit or debit. When protections vary across different services, this will have a disparate impact on low-income users whose usage patterns predispose them to rely on the financial services that are least protected.

Another problem with cybersecurity regulations is that they often take compliance-based approaches. Uniform, predefined “box-checking” lists dictate precautions and protections that institutions must adhere to. But these procedures often fall far short of effectively staving off threats that are neither uniform nor predefined.²⁴ Moreover, financial service providers and MNOs sometimes opt against practices that would better protect consumers when the penalty for noncompliance is less burdensome than addressing the risk (for example, paying a small, one-time fee for a data breach rather than investing in necessary but costly data protection protocols).

Firms’ and governments’ policies and regulatory structures often limit liability for cybersecurity breaches. This puts the onus of recovery from online financial fraud onto consumers rather than the institutions providing DFS. Banks and telcos often require customers to sign agreements that absolve the institutions of responsibility if an account is breached on the user’s end.²⁵ Some policies are constructed to cover only a limited range of severity or a specific duty of care, only invoking redress channels for certain financial services.²⁶ In these policy regimes, those losing so-called small sums of money via less traditional financial services are more likely to be neglected. Additionally, seeking redress for cyber harms often incurs costs for users. Those operating with already small margins for error will be far less likely to pursue grievance redress, establishing a cycle wherein firms are not held accountable for their platforms’ harms to low-income users.

Lastly, several countries and individual companies have cultivated policy environments and practices that encourage (or at the very least neglect to penalize) exploitative digital finance practices, such as predatory lending, which can be uniquely damaging for consumers who lack a financial safety net.²⁷ Mobile money agents often overcharge customers,²⁸ and disinformation or misinformation can help fuel successful online fraud campaigns.²⁹

Smaller Businesses Often Aren’t Appropriately Secured

Micro-, small-, and medium-sized enterprises (MSMEs) are often a valuable source of income for people in lower socioeconomic groups. Representing over 90 percent of businesses worldwide, they serve as a dominant driver of economic activity in emerging markets. ³⁰ MSMEs increasingly use digital technology to deliver goods and services to low-income or low-access users. They can therefore play the important role of bringing people into the digital economy for the first time. But when MSMEs aren’t appropriately secured, they expose customers, as well as MSME operators, to risks. Small- and mid-sized financial businesses can, in many cases, fall between the cracks of existing cybersecurity or consumer protection regulations that were scoped to target more traditional banks or telecom providers. Technical training for developing and maintaining cyber resilience at the institutional level is often geared toward large-scale enterprises, ignoring the staffing, budgetary, and infrastructural constraints often faced by MSMEs. Absent an appropriately tailored protective environment, the burden of digital harms ultimately falls on small business owners who are often ill-equipped to protect themselves and their users.

Moreover, early findings from CyberFI research in Cameroon have indicated that even when innovators in the fintech space aspire to prioritize cybersecurity and resilience, in practice, they are limited in their ability to mobilize resources to this end, especially when there is a vacuum of guidance and policy specific to their needs.³¹ A recent survey of MSMEs showed that in Kenya, 30 percent of respondents claimed that financial loss was the most common harm from operating online.³² Fraud, hacking, and “cloning” of online business accounts, where fraudsters steal digital images and brand information to extort money from customers and business owners, pose grave challenges to MSMEs. Additionally, an increase in misinformation-fueled customer mistrust has led to harms that frequently go unaddressed by digital platforms when MSMEs pursue their support. These losses impact both MSMEs and their customers, undermining financial security and resilience across the board.

Recent Initiatives Offer Some Promise

Some development actors are already demonstrating appreciation of the need to prioritize the cyber resilience of vulnerable or marginalized groups. For example, in 2020, Innovations for Poverty Action launched a four-year, $5.4 million initiative to help protect digital finance users by investigating effective channels for building consumer protection in DFS.³³ This type of initiative can help fill a gap in insights around how vulnerable users are impacted by and should be better protected from digital financial harms. Similarly, the U.S. Agency for International Development (USAID) recently launched an interagency partnership with the Federal Trade Commission (FTC) focused on supporting consumer protection in the digital economy in Africa.³⁴ This partnership will channel technical expertise from within the FTC and other U.S. government entities to support authorities across the African continent that are looking to bolster policies and protections for consumers participating in the digital economy. After assessing the most pressing needs in a country’s digital economy, this effort aims to engage key stakeholders to address these needs and target capacity-building efforts and policy development accordingly.

In addition, the Consultative Group to Assist the Poor (CGAP) and the West African Economic and Monetary Union partnered with other financial sector authorities in 2022 to launch a DFS Consumer Protection Laboratory. The lab is intended to study different cooperative approaches to enhancing consumer protections against common DFS fraud and promote more consumer-centric approaches.³⁵ Innovations for Poverty Action’s Consumer Protection Research Initiative is promoting innovative data collection and analysis efforts to generate a more complete picture of vulnerable DFS users’ experiences with risk, as well as supporting rigorous evaluations of different interventions intended to bolster DFS consumers’ financial health.³⁶ It is premature to argue these efforts have advanced protections for vulnerable consumers, but their contributions will undoubtedly improve collective understanding of DFS consumer risks.

How to Better Cultivate Users’ Cyber Resilience

Governments, businesses, and development agencies that seek to bring people into the financial system must avoid exposing marginalized groups to cyber harms that could cause them to opt out or be pushed out of the digital economy. The effectiveness of cyber protections should not hinge on how well equipped a user is to stave off sophisticated cyber threat campaigns. DFS systems themselves must be constructed to recognize that even if a user isn’t able to identify and resist digital fraud—and especially if a user isn’t well equipped to identify or resist fraud—they should still be afforded protections from harm and supported in rebounding from it.

Development Actors Can Collaborate to Uncover Insights

To design appropriate protection measures, the development community and private sector can work together to more quickly and systematically document how vulnerable or marginalized users of digital finance are targeted in cyber crime campaigns, as well as how their unique situations might shape their digital threat profiles. Most importantly, these insights must be fed into cyber resilience efforts and interventions and reformers must figure out which interventions actually work.

The private sector has a wealth of insights on consumer risk, as well as promising interventions; more could be done to ensure that insights generated by these actors inform cyber resilience efforts carried out by others. For example, Kenya’s dominant telco Safaricom has recently taken a more aggressive stance toward creatively targeting and stopping SIM-swap fraudsters by leveraging social media and advertising to build awareness among its customer base and offering SMS and USSD channels for reporting fraud that takes place through M-PESA, Safaricom’s mobile finance service.³⁷ These efforts could go much further if those beyond the private sector also seek to improve their understanding of the scope of the threats faced by vulnerable users, including women, as well as the effectiveness of interventions made to strengthen users’ cyber resilience.

Policymakers and Donors Can Elevate and Address the Challenges of Underserved Consumers

Policymakers should push for risk-based rather than compliance-based approaches. This would ensure that the onus of consumer protection is placed more on authorities and service providers instead of only on consumers.³⁸ Capacity-building efforts, while often simultaneously necessary and overprescribed, can be better scoped to address context-specific risks—for example, targeting MSMEs for specific trainings and tailoring efforts to address demand-driven cybersecurity protections.

Donors and investors can support financial service providers in designing and implementing protections for all users. Firms should be more strongly incentivized to build back-end safeguards to protect against common fraud campaigns, particularly firms whose customers likely have low digital familiarity or literacy levels. Adoption of well-known cybersecurity best practices—for example, data encryption, multifactor authentication, and email defense mechanisms—can better protect against the types of cyber harms most likely to be encountered through user error or lack of consumer vigilance. Many cyber risks will only be avoided or recovered from if policies and practices are developed to explicitly accommodate the cyber resilience of key user groups. In Africa, this entails hundreds of millions of people who are financially underserved.³⁹

As women are often disparately impacted by online harms, their experiences—including how they have or have not been able to rebound from these harms—should be expressly considered as strategies are developed for improving cyber resilience at the individual level. As policymakers and donors reconsider what cyber resilience looks like for vulnerable groups, the gendered ways in which digital harms are experienced and understood deserve attention and action to inform more gender-equitable policy development.

Financial Service Providers Can Adopt More Risk-Aware, Consumer-Protective Practices

Shifting from compliance-based to risk-based approaches requires that firms realistically consider how their consumers encounter risks rather than assuming risks can be avoided by following prescribed, uniformly applied steps. Corporate policies and procedures should recognize that not all users (or firms) protect against and recover from risk in the same way. More grounded assessments of risk across different types of user segments, as well as institutions, can help to ensure more balanced accountability in practice. It can also help encourage practices that better align with consumers’ and providers’ on-the-ground security needs. CGAP has developed resources to help guide evidence-driven improvements to DFS consumer protections.⁴⁰

Increased Research, Documentation, and Awareness Can Improve the Understanding of Risks

Across all suggested paths for improvement, lack of visibility is a persistent problem. Despite longstanding efforts by key groups,⁴¹ there is limited data on the DFS challenges faced by vulnerable users, as well as the success of different interventions geared toward improving consumers’ experiences with the digital economy. The range and scope of everyday losses of vulnerable communities is under-documented, leading to blind spots for policymakers who seek to address the issue. With a stronger evidence base, policymakers and DFS providers will be better positioned to adopt fit-for-purpose protections and remedies. Innovations for Poverty Action has begun to explore promising innovations for consumer protection through improved support for grievance redress—for example, provision of pro bono legal assistance to help customers navigate mobile money dispute resolution in Uganda.⁴² More broadly, insights and commentary from the policy research community have already helped call others to action in recognizing the important role consumer protection can play in supporting greater financial health for the most marginalized.⁴³

Digital literacy and awareness-raising campaigns can help new-to-digital users better address some of the simplest vulnerabilities, but their effectiveness is less conclusively proven.⁴⁴ Public documentation and publicity of digital fraud can also contribute to greater consumer protection. In Ghana, for example, MTN Group has begun pushing for information-sharing around how fraud is being carried out over its platform, which is a welcome move to raise awareness.⁴⁵ Similarly, publicizing the arrests of fraudsters is increasingly common (but this may also alleviate pressure by creating an impression of reform while ignoring the more structural reforms needed to support greater protections).⁴⁶ Additionally, work to reconsider how disempowered consumers can have greater voice in calling for more responsive regulation indicates that there should be opportunities for low-income DFS users to shape policies to greater advantage.⁴⁷

Conclusion

Trust can be irreversibly lost when individuals are brought online in the name of financial inclusion only to be exposed to cyber harms that they can’t rebound from. Failing to bolster the cyber resilience of millions of users will lead these users to forgo digital finance altogether and return to paper-based exchanges. For digital financial inclusion to be successful, it is not enough to bring people into the digital economy; development actors must also ensure that people are resilient against the many harms they will be exposed to.

The financial sector’s overly narrow focus on the ability of financial institutions to withstand and recover from cyber attacks without full commensurate consideration for millions of low-income users complicates efforts to build resilience. Cyber resilience for digital financial inclusion must consider the digital deprivation of the consumer base.⁴⁸ This must include aspects of digital literacy and financial literacy and better acknowledge a low-income or vulnerable user’s digital posture and profile.

The benefits gained from strengthening protections for the most vulnerable users are not limited to this group alone. Better addressing the range of challenges faced by vulnerable groups will improve the overall strength of the financial ecosystem and expand the risk-mitigation options available to all consumers.

The international community can improve cyber resilience for the most vulnerable members of the digital economy by supporting more inclusive and protective policies and practices. This will require more user-centric cybersecurity protections and broader, more in-depth characterizations of the potential threats to marginalized and vulnerable groups. This must encompass both short-term and long-term resilience. Fostering the ability of those with limited means to recover from fraud or data-privacy breaches in the days and weeks following an incident is paramount; considering the longer-term consequences that cyber harm incurs is just as important. If harm is ignored, millions of users may opt to join the growing exodus from the digital economy.⁴⁹

To improve development strategies and practices, more data and insights are needed on how vulnerable or low-income consumers are impacted by cybersecurity breaches and fraudulent financial activity. An effective way for development actors to evaluate whether secure, inclusive digital finance has been achieved could be measuring the degree to which policy and technical safeguards promote the cyber resilience of individuals. For this to be feasible, greater visibility into individual cyber resilience is needed.

Establishing consumer protection across traditional or formal financial institutions, as well as more nascent, under-regulated financial services, will be important. Protections must grapple with how to achieve both cybersecurity and cyber resilience for individuals, small firms, and large institutions. Fundamentally, the benefits of digital financial inclusion hinge on establishing security of, and trust between, low-income consumers and service providers.

Failing to achieve cyber resilience for vulnerable or marginalized groups will undermine hard-won gains in financial inclusion. Groups that are targeted by development actors for inclusion in the digital economy are also targeted by malicious actors for security compromises. For the digital transformation agenda to be achieved, the most vulnerable and marginalized people must be protected from harm—and prepared to rebound from harm—when they interact with the digital economy.

Notes

¹ Aramé Awanis, Christopher Lowe, Simon Andersson-Manjang, and Dominica Lindsey, “State of the Industry Report on Mobile Money 2022,” GSM Association, 2022, https://www.gsma.com/sotir/wp-content/uploads/2022/03/GSMA_State_of_the_Industry_2022_English.pdf.

² Emily Breza, Martin Kanz, and Leora Klapper, “Learning to Navigate a New Financial Technology: Evidence from Payroll Accounts,” National Bureau of Economic Research, Working Paper no. 28249, 2020; and Danielle Moore, Zahra Niazi, Rebecca Rouse, and Berber Kramer, “Building Resilience Through Financial Inclusion: A Review of Existing Evidence and Knowledge Gaps,” Financial Inclusion Program, Innovations for Poverty Action, 2019, https://www.poverty-action.org/sites/default/files/publications/Building-Resilience-through-Financial-Inclusion-English.pdf.

³ “Fraud Report,” Evina, 2021, https://www.evina.com/wp-content/uploads/2021/06/Africa-Q1-Q2-Evina-Master-Fraud-Report-ENG.pdf; Jenna Delport, “Top 3 African Countries Hit by Mobile Fraud,” IT News Africa, November 23, 2020; and Alvin Wanjala, “Kenya Ranked Among the Top 3 African Countries Affected by Mobile Fraud,” Tech Trends KE, November 24, 2020, https://techtrendske.co.ke/kenya-ranked-among-the-top-3-african-countries-affected-by-mobile-fraud/. 

⁴ Sam Kiplagat, “CA Fights SIM Card Fraud Class Action Suit,” Business Daily Africa, January 18, 2023, https://www.businessdailyafrica.com/bd/economy/ca-fights-sim-card-fraud-class-action-suit--4089518.

⁵ William Blackmon, Rafe Mazer, and Shana Warren, “Kenya Consumer Protection in Digital Finance Survey Report,” Innovation for Poverty Action, March 1, 2021, https://www.poverty-action.org/publication/kenya-consumer-protection-digital-finance-survey-report.

⁶ Majorie Chalwe-Mulenga, Eric Duflos, and Gerhard Coetzee, “The Evolution of the Nature and Scale of DFS Consumer Risks: A Review of Evidence,” Consultative Group to Assist the Poor, February 2022, https://www.cgap.org/sites/default/files/publications/slidedeck/2022_02_Slide_Deck_DFS_Consumer_Risks.pdf.

⁷ Shabtai Gold, “Spike in Fraud May Hurt Africa’s Gains in Digital Financial Inclusion,” DEVEX, May 3, 2022, https://www.devex.com/news/spike-in-fraud-may-hurt-africa-s-gains-in-digital-financial-inclusion-103161.

⁸ “Fraud in the Nigerian Financial Services,” Nigeria Inter-Bank Settlement System, https://nibss-plc.com.ng/media/PDFs/post/NIBSS%20Insights%20Fraud.pdf.

⁹ Olatunji Olaigbe and Andrea Peterson, “Nigeria’s Electronic Payments Boom Leaves Some at Risk for Fraud,” Record, June 21, 2022, https://therecord.media/nigeria-payment-fraud-pos-fintech/.

¹⁰ “EFInA Access to Financial Services in Nigeria 2020 Survey,” Enhancing Financial Innovation & Access, June 3, 2021, https://efina.org.ng/wp-content/uploads/2021/10/A2F-2020-Final-Report.pdf.

¹¹ Proposed working definition, adapted from National Institute of Standards and Technology guidance (2021): “Cyber resiliency: ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, and compromises on cyber systems,” https://csrc.nist.gov/glossary/term/cyber_resiliency.

¹² Noëlle Van der Waag-Cowling, “Dividend or Liability? Financial Inclusion, Digital Deprivation, and Cyber Risk Proliferation in South Africa,” Carnegie Endowment for International Peace, May 2, 2022,https://carnegieendowment.org/2022/05/02/dividend-or-liability-financial-inclusion-digital-deprivation-and-cyber-risk-proliferation-in-south-africa-pub-87017.

¹³ “Mobile Money Fraud Hits Rural Kenya Residents Hard,” Namibian, January 15, 2016, https://www.namibian.com.na/index.php?page=archive-read&id=146226.

¹⁴ “Fraud Report,” Evina, 2021, https://www.evina.com/wp-content/uploads/2021/06/Africa-Q1-Q2-Evina-Master-Fraud-Report-ENG.pdf; and “Africa Overwhelmed by Mobile Fraud,” TechMetro Africa, July 26, 2021, https://techmetroafrica.com/2021/07/26/africa-overwhelmed-by-mobile-fraud/.

¹⁵ “E-Levy: Telco Chamber Warns Public Against Fraudsters,” GhanaWeb, May 9, 2022, https://www.ghanaweb.com/GhanaHomePage/business/E-levy-Telecom-Chamber-warns-public-against-fraudsters-1533860.

¹⁶ Daryl Collins and Derry Moore, “Gender and Digital Worldviews: Divergent User Perspectives on Data Collection and Use,” CFI Blog, Center for Financial Inclusion, July 21, 2021, https://www.centerforfinancialinclusion.org/gender-and-digital-worldviews-divergent-user-perspectives-on-data-collection-and-use; and “Payment System Design and the Financial Inclusion Gender Gap,” Level One Project, January 2021, https://www.leveloneproject.org/wp-content/uploads/2021/01/Payment_System_Design_and_the_Financial_Inclusion_Gender_Gap.pdf.

¹⁷ “Women & Money: Insights and a Path to Close the Gender Gap,” IDEO.org, December 2021, https://www.findevgateway.org/paper/2021/12/women-money-insights-and-path-close-gender-gap.

¹⁸ Blackmon, Mazer, and Warren, “Kenya Consumer Protection in Digital Finance”; and William Blackmon, Rafe Mazer, and Shana Warren, “Nigeria Consumer Protection in Digital Finance Survey,” Innovations for Poverty Action, March 2021, https://www.poverty-action.org/sites/default/files/publications/Nigeria-Consumer-Survey-Report.pdf.

¹⁹ “2021 FinAccess Household Survey” Financial Sector Deepening Kenya, 2021, https://www.fsdkenya.org/wp-content/uploads/2021/12/FinAccess-2021-Infographic.pdf.

²⁰ Seth Garz et al., “Consumer Protection for Financial Inclusion in Low- and Middle-Income Countries: Bridging Regulator and Academic Perspectives,” Annual Review of Financial Economics 13 (September 3, 2021): 219–246, https://www.annualreviews.org/doi/abs/10.1146/annurev-financial-071020-012008.

²¹ Allan Odhiambo, “Maasai Shylocks Offer Loans for Small Traders Hit by Fintech Loan Defaults,” Nation, December 9, 2022, https://nation.africa/kenya/counties/kisumu/maasai-shylocks-offer-loans-for-small-traders-hit-by-fintech-loan-defaults-4048324.

²² Brian Ambani, “Cyberattacks Rise by 47.5m on Shift to Online Banking, Remote Working,” Nation, June 3, 2022, https://nation.africa/kenya/news/cyberattacks-rise-by-47-5m-on-shift-to-online-banking-3836228.

²³ Steve Otieno, “Explainer: How to Avoid Falling Victim to SIM Swap Fraud,” Nation, May 31, 2022, https://nation.africa/kenya/news/explainer-how-to-avoid-falling-victim-to-sim-swap-fraud-3832792.

²⁴ Van der Waag-Cowling, “Dividend or Liability?”.

²⁵ Olaigbe and Peterson, “Nigeria’s Electronic Payments Boom.”

²⁶ Juan Carlos Izaguirre, “Making Consumer Protection Regulation More Customer-Centric,” World Bank, Working Paper, June 2022, https://documents1.worldbank.org/curated/en/745951599028334289/pdf/Making-Consumer-Protection-Regulation-More-Customer-Centric.pdf.

²⁷ Chalwe-Mulenga, Duflos, and Coetzee, “DFS Consumer Risks”; and Juan Carlos Izaguirre, Michelle Kaffenberger, and Rafe Mazer, “It’s Time to Slow Digital Credit’s Growth in East Africa,” Consultative Group to Assist the Poor, September 25, 2018, https://www.cgap.org/blog/its-time-to-slow-digital-credits-growth-in-east-africa.

²⁸ Matthew Bird and Rafe Mazer, “Uganda Consumer Protection in Digital Finance Survey,” Innovations for Poverty Action, March 2021, https://www.poverty-action.org/sites/default/files/Uganda-Consumer-Survey-Report.pdf.

²⁹ Nancy Haugh, Priya Sethi, and Jean Leroux, “No Reward Without Risk: Addressing the Economic Impacts of Misinformation and Other Digital Harms on MSMEs,” Center for Digital Acceleration, Development Alternatives Incorporated, February 2023, https://www.dai.com/uploads/digital-downsides.pdf.

³⁰ “Small and Medium Enterprises (SMEs) Finance,” World Bank, https://www.worldbank.org/en/topic/smefinance.

³¹ Tomslin Samme-Nlar, “Cameroon’s Fintech Start-ups’ Attitudes Toward and Culture of Cybersecurity,” Carnegie Endowment for International Peace, May 19, 2022, https://carnegieendowment.org/2022/05/19/cameroon-s-fintech-start-ups-attitudes-toward-and-culture-of-cybersecurity-pub-87137.

³² Haugh, Sethi, and Leroux, “No Reward Without Risk.”

³³ Rafe Mazer, “IPA Launches $5.4 Million Initiative to Protect Digital Finance Users,” Innovations for Poverty Action, February 7, 2020, https://www.poverty-action.org/blog/ipa-launches-54-million-initiative-protect-digital-finance-users.

³⁴ “Trust and Competition in Digital Economies: Promoting an Enabling Environment for Consumer Protection and Competition Across Africa,” U.S. Agency for International Development, December 10, 2022, https://www.usaid.gov/digital-development/trust-and-competition-digital-economies.

³⁵ “The Digital Financial Services Consumer Protection Lab,” Consultative Group to Assist the Poor, September 2022, https://www.cgap.org/sites/default/files/2022-09/DFS%20Consumer%20Protection%20Lab/One%20page_Lab%20Presentation_EN_Final_130922.pdf. 

³⁶ “Financial Inclusion,” Innovations for Poverty Action, accessed March 9, 2023, https://www.poverty-action.org/program-area/financial-inclusion/call-for-proposals.

³⁷ “Safaricom Extends SIM Fraud Fight to Lenders,” Nation, June 28, 2020, https://nation.africa/kenya/business/safaricom-extends-sim-fraud-fight-to-lenders-180374.

³⁸ Antonique Koning, Juan Carlos Izaguirre, and Aveesha Singh, “Customer Outcomes-Based Approach to Consumer Protection: A Guide to Measuring Outcomes: Lessons from a South Africa Pilot,” Consultative Group to Assist the Poor, June 2022, https://www.cgap.org/sites/default/files/publications/slidedeck/2022_06_Reading_Deck_Customer_Outcomes_Based_Approach_Consumer_Protection.pdf.

³⁹ “Securing the Mobile Money Ecosystem: Dynamic Cyber Risk Model for Improving Secure Access to Mobile Digital Financial Services,” MITRE Engenuity, July 2022, https://7754670.fs1.hubspotusercontent-na1.net/hubfs/7754670/Incubations%20Investments%20Papers/For%20Pub%20Engenuity%20mDFS%20Risk%20Model%20Development%20Report_ME0044_Final.pdf.

⁴⁰ Koning, Izaguirre, and Singh, “Customer Outcomes-Based Approach.”

⁴¹ See, for example, Chalwe-Mulenga, Duflos, and Coetzee, “DFS Consumer Risks.”

⁴² Matthieu Chemin and Carin Mirowitz, “Measuring the Impact of Legal Assistance on Mobile Money Dispute Resolution in Uganda,” Innovations for Poverty Action, https://www.poverty-action.org/study/measuring-impact-legal-assistance-mobile-money-dispute-resolution-uganda.

⁴³ “Advancing Consumer Protection Across Africa in the Digital Age,” Collaboration on International ICT Policy for East and Southern Africa, February 25, 2021, https://cipesa.org/2021/02/advancing-consumer-protection-across-africa-in-the-digital-age/; and Kate McKee, Michelle Kaffenberger, and Jamie Zimmerman, “Doing Digital Finance Right,” Consultative Group to Assist the Poor, June 2015, https://www.cgap.org/research/publication/doing-digital-finance-right.

⁴⁴ Elif Kubilay, Eva Raiber, Lisa Spantig, Jana Cahlíková, and Lucy Kaaria, “Can You Spot a Scam? Measuring and Improving Scam Identification Ability,” CESifo, Working Paper No. 10239, February 2, 2023, https://ssrn.com/abstract=4344411.

⁴⁵ “Mobile Money Fraudsters Now Target Bank Accounts Linked to MoMo Accounts,” Ghana Chamber of Telecommunications, July 15, 2020, https://telecomschamber.com/news-media/industry-news/mobile-money-fraudsters-now-target-bank-accounts-linked-to-momo-accounts.

⁴⁶ Sam Kiplagat, “How Ten Suspects Stole Sh450m Through Fuliza,” Business Daily, February 10, 2023, https://www.businessdailyafrica.com/bd/corporate/companies/ten-suspects-face-charges-in-sh450m-fuliza-heist--4118072; “DCI ‘Unmasks’ Suspected Head of Mulot Sim Swap Syndicate,” Star, December 28, 2022, https://www.the-star.co.ke/news/2022-12-28-dci-unmasks-suspected-head-of-mulot-sim-swap-syndicate/; and Ghana Chamber of Telecommunications, “Mobile Money Fraudsters.”

⁴⁷ Eric Duflos, Mary Griffin, and Myra Valenzuela, “Elevating the Collective Consumer Voice in Financial Regulation,“ Consultative Group to Assist the Poor, Working Paper, March 2021, https://www.cgap.org/sites/default/files/publications/2021_03_WorkingPaper_Collective_Consumer_Voice_updated.pdf.

⁴⁸ Van der Waag-Cowling, “Dividend or Liability?”

⁴⁹ See Odhiambo, “Maasai Shylocks Offer Loans.”