Are IDs safe in hands of momo agents?
About a week ago, MTN started implementing a “no identity card, no momo transaction policy.”
This new policy by MTN Mobile Money Limited represents an attempt by the largest telecom operator to protect its numerous customers from fraud.
We have all been aware of the avalanche of fraud activities which have been reported over the years by people without verified identity.
Also flowing from the Bank of Ghana’s directive to financial institutions to demand IDs cards for all financial transactions done at the brick-and-mortar banks, it may be proper for mobile money operators to also implement some security measures to prevent fraud and theft of customers’ money
Challenge
While the new policy is laudable to improve upon the security of the system, it has the potential for creating another problem.
Let me give an example of what happened to me on Saturday, April 3, 2013 as I went to cash-out funds from my MTN Mobile Wallet. The agent asked for my ID card and I provided him my voter’s ID.
I then saw the agent recording my ID details unto his foolscap notebook.
I was concerned because I was not sure what that agent could be doing with my ID details in my absence.
Beginning April this year, the Ghana Card number (pin) has become a unique identifier for all Ghanaians and the card number is now replacing Tax Identification Number (TIN), Social Security and National Insurance Trust (SSNIT) and National Health Insurance Scheme (NHIS).
We are also told that soon the Ghana Card would be the only acceptable ID for transactions.
That, therefore, puts lot of utility on the Ghana Card number.
Like the Social Security Number (SSN) in the United States, the Ghana Card number/pin will play a key role in identifying people for many reasons.
In the US for example, Social Security Administration (SSA) reports that identity theft is one of the fastest growing crimes in America.
A dishonest person who has a Social Security number of another person can use it to get other personal information about the person.
Personal information,
mobile agent
Per the “no ID, no momo” policy, mobile money agents would be recording the personal information of customers who come over to do transactions.
This is not a bad idea as such details can help to trace a customer in case of any investigation.
The ultimate concern is how will these records be handled?
What is the guiding principle in case the notebook used to record the details get used up?
How will it be disposed off? Will MTN come for it?
Is the relationship between MTN and the mobile agent that of a principal and agent? Is the MTN willing to bear the liability for loss occasioned from mishandled customers’ information?
Data Protection Law
Ghana’s Data Protection Act (Act 843 of 2012) places mandatory burden on businesses or persons who collect data to take in account the privacy of the data subject by applying data security safeguards (Section 17).
While it is clear that MTN as a company has mastered data protection of its client data at the corporate level, the same cannot be said of its mobile money agents as the former have not attained the level of training and safeguards required for data protection.
Allowing mobile money agents to have access to tomes of people’s data could expose lots of users to fraud and identity theft.
Fraudsters and money scammers can easily go to momo agents and pay them some money and have access to the records in their foolscap notebook.
When these records get into the hands of the fraudsters, they can connive with mobile phone agents and use it to register new sim cards and mobile money as registration can be done using USSD (Unstructured Supplementary Service Data).
Already the Ghana Police Service has served notice to people who make photocopies of their IDs to ensure that the photocopy operator does not retain any of the copied document, even if the copy in question did not come out well.
IDs
There are other businesses who also collect ID card details. The banks do and even VIP Parcel Services (VIPEX) also does the same.
Why then are we crying foul about MTN’s “no ID, no momo” policy? Some of these institutions have control systems compared with mobile money agents.
Due to the large numbers of momo agents across the country, the tendency for fraud or data breaches can be high.
Additionally, some of the mobile money frauds have been traced to some agents as accomplices.
Way forward
While we laud MTN for its effort and leadership in the industry, the solution that they are implementing cannot be worse than the problem.
I sincerely believe that we cannot afford to be unmindful of potential effects of customers’ data falling into the hands of criminals.
Mobile money has to stay and will even outperform brick-and-mortar banks in terms of volumes of transactions.
Till then though, firstly, the regulator should lead with an acceptable ID requirement that would protect the sanctity of the mobile money industry and customers data from identity theft.
This should involve the National Communications Authority (NCA), Ministry of Communication, BoG, National Security, Police Criminal Investigation Department (CID), Mobile Network Operators (MNOs) and National Identification Authority (NIA).
Secondly, MTN may have to suspend this policy for the time being to allow for the National Communication Authority (NCA) to mandate all sim card registrations with only the Ghana Card by a certain deadline after which any card which is not registered by the Ghana Card will be decommissioned.
I am sure this can be done before December 31, 2021, if the NCA, BoG and industry players are to collaborate.
Thirdly, once the Ghana card is rolled out for registration for all sims, then anyone performing a momo transaction will need to show the ID card to the agent and the agent will enter the first four digits of the card number after having physically looked to ensure that the ID photo matches the bearer.
Then, another authentication prompt will also require the customer to enter the last four digits of the Ghana card before the PIN can be entered.
Once these three steps are entered correctly, then the transaction can be authorised.
Finally, MTN is capable, and must find innovative ways of enforcing this policy, instead of allowing 'weak' agents who have little or no knowledge about data protection and privacy laws.
The writer is the West Africa Regional Director for CUTS International Accra, a research and advocacy public policy think tank in the areas of consumer protection and education.