Consumers and businesses have been moving online in recent years, and regulators from the European Union to the Middle East and North Africa (MENA) region have worked to keep up with this migration. The ongoing COVID-19 pandemic is accelerating this shift, making financial institutions (FIs), merchants and their regulatory officials race to secure these new digital users.
The health crisis is prompting officials to adjust their views on financial regulations as many authorities had different priorities when they passed the first iterations of such rules more than a decade ago. The Dubai International Financial Centre ratified the original version of its Data Protection Law (DPL) in 2007, for example — about a year earlier than Europe’s official General Data Protection Regulation (GDPR) and first Payment Services Directive (PSD) launches. Financial authorities and lawmakers in Abu Dhabi, Saudi Arabia and the United Arab Emirates (UAE) quickly followed Dubai’s lead as consumers and merchants headed online.
MENA nations’ original rules involved data privacy, but they were focused on developing the open banking ecosystem and allowing information to move freely. The pandemic is dramatically altering how merchants can transact, which data they can store and where they can store it, however. Regulators as well as finance and technology experts are scrutinizing where digital information is held, and one recent survey found that eight out of 10 IT professionals in the UAE believe storing sensitive information locally is either “somewhat” or “very important.”
The following Deep Dive analyzes how the pandemic has affected open banking and privacy regulations — especially in the MENA region — and implicated future regulations. It will also examine how merchants can better understand these rules and compete within an ecosystem where online privacy and digital banking perceptions are shifting.
The Data Privacy Twist
Cybersecurity and data privacy have always been critical facets of open banking regulations as fraud tends to increase alongside growing online transaction volumes. Data breaches now cost Saudi Arabia and UAE companies about $188 for each stolen personal detail, for example, and this price tag is exponential because most hacks compromise thousands of records. The pandemic has refocused scrutiny on the open banking ecosystem’s privacy and security.
Part of the reason for this new spotlight on data privacy is simple: MENA consumers are starting to question how their data will be used and where it will be stored. A May 2020 survey of UAE consumers found that 84 percent tried to remove private details from online websites or their social media, for example, and 31 percent stated that their personal data had been shared or made available to others without their explicit consent. These views are significant for merchants and regulators because most of these consumers expect to maintain their digital habits after the pandemic ends. Sixty-nine percent of MENA consumers believe the health crisis will significantly alter their long-term behaviors while just 9 percent expect to return to their pre-pandemic spending habits once the pandemic abates.
Consumers’ changing views are prompting MENA financial authorities to reexamine how their present regulations handle online privacy. Egypt recently announced that its first consumer-related data protection rule would go into effect in October, for example, and the Dubai International Financial Centre (DIFC) revealed in July that it was upgrading its DPL, with businesses given until Oct. 1 to adjust their standards in compliance. This shift has been pushed further into the spotlight due to the ongoing pandemic. Dubai’s rule contains greater financial penalties for organizations that fail to comply, indicating that its newfound data privacy focus is likely a long-term priority. Lawmakers in Abu Dhabi have also amended existing rules during the pandemic — a move that could radically shift open banking developments.
Merchants And The Global Privacy Battle
Perhaps the most notable detail about the MENA region’s developing open banking standards is their scope. Dubai’s regulation covers all businesses that are keeping or employing individual residents’ data, making its reach similar to that of the GDPR and the California Consumer Privacy Act (CCPA) in their respective markets. The comprehensive nature of these regulations could prove crucial to businesses, as one study found that online privacy and security was a main worry for 48 percent of small- to medium-sized businesses (SMBs) in the UAE, for example.
These standards may provide additional layers of security that are likely to please consumers, but they could also put merchants in a precarious position as they look to adhere to domestic and international privacy regulations. Many merchants are global entities, after all, which means they must now worry about security regulations in their own markets and abroad.
Businesses must therefore keep a careful eye on how data privacy perceptions are changing worldwide, especially as the pandemic pushes more regulators into action. Regulators must also consider the increasingly global nature of commerce and finance to craft security standards that can satisfy businesses, banks and customers. The development of an international data privacy standard may be years away, but developing cohesive regulatory policies for open banking is becoming more and more essential for businesses in the MENA region and beyond.