Alvin acquires Data Controller and Data Processor Certifications in Kenya

Alvin is recognized as a third party service provider authorized to process customer transaction data for Kenyan banks

We are thrilled to announce that Alvin Technologies has now attained both the Data Controller and Data Processor Certifications as a third-party service provider for financial institutions in Kenya. This accomplishment places us in compliant standing with Kenyan banks, microfinance institutions, Savings and Credit Cooperative Organizations (SACCOs) and other fintechs by acknowledging that we meet the standards set forth by the Office of the Data Protection Commissioner in Kenya.

Attaining these certifications represents a significant step in our ongoing commitment to comply with all relevant federal regulations in the countries in which we operate. It additionally then gives our clients even greater confidence in the protocols we have in place to safely process their customers’ data on their behalf.

Now, when a bank embeds an Alvin product that needs to analyze customer spending in order to work best (i.e., our rules based savings product), we are authorized to enrich and process that data via our system and the servers we manage. This capability will enable us to further refine our automation capabilities that power most Alvin products.

The procedure to acquire both certifications involved an external review of our company and management by the Office of the Data Protection Commissioner in Kenya.

The significance of these certifications

Federal Data Compliance Certifications are benchmarks established by governments to set the standard for appropriate measures to ensure consumer data is properly protected and used for ethical purposes only. The necessity for such regulations is increasing as levels of fraud and cybersecurity threats rise in Kenya alongside the proliferation of smartphones and an ever-growing number of touchpoints where consumer data is used to enhance digital services (including banking).

Additionally, many Kenyan consumers often distrust the ways their data is managed by many institutions, so it is important that any organization touching consumer data demonstrates that they are a responsible facilitator of data processing activities. Spending data, by definition, is exceptionally sensitive, so it is important that Alvin is a compliant business in this regard as a partner to banks.

Risks of non-compliance

Non-compliance with federal data protection laws can result in several significant risks for software vendors who serve banks:

1. Loss of industry trust. When choosing vendors, banks need to ensure that a desired’s vendor’s system and service comply with all relevant regulatory stipulations, and that customer data remains secure once the bank integrates that vendor’s software. Official certifications recognizing a third party’s good standing are crucial for maintaining this trust.
2. Wrongful data exposure: While Alvin does not store card payment details on our system, we process transaction data to analyze spending behavior to power some of our products such as automated transaction categorization. Non-compliance with data protection law risks a company not having secure structures in place to protect precious customer transaction data and spending analysis from hackers and foul players.
3. Financial penalty: The Office of the Data Protection Commissioner can impose heavy fines on companies delivering products to banks without being in compliance themselves.

To mitigate these risks, it is crucial for vendors to obtain data protection certifications and regularly assess ongoing compliance with these standards to process and store consumer data ethically.

Our role as a Certified Data Processor

As a Certified Data Processor, Alvin is authorized to integrate with banks, fintech companies and other Financial Service Providers (FSPs) via the Alvin API to:

• Receive customer transaction data from enterprise clients and use this data to refine the effectiveness of Alvin products that are enhanced using transaction data as an input (i.e., automated budgeting support, automated transaction categorization)
• Store data and corresponding analysis algorithms on Alvin-managed cloud servers

Our role as a Certified Data Controller

As a Certified Data Controller, Alvin is authorized to process personal data on behalf of FSPs. This certification relates primarily to our Data Enrichment engine which uses our proprietary machine learning algorithm to:

• Automatically categorize customer transactions
• Enhance automation abilities based on understanding customer spending and goals

Data compliance and regulations for third-party service providers for banks

Consumer data is protected using adequate security measures on the service provider’s backend system as per Section 25 of the Data Protection Act of Kenya 2019. As a compliant vendor, we:

• Collect data for explicitly defined purposes in compliance with Kenyan law
• Commit to processing data only to achieve specific outcomes agreed upon with customers with formal end user consent
• Guarantee that customer data is not sold or inappropriately shared with external parties
• Maintain data in a format that ensures records are kept and used for refining enterprise products for no longer than necessary and only with the data subject’s consent
• Commit to regular verifications on the part of the Commissioner to ensure ongoing good standing
• Maintain transparent policies on data management at Alvin

Implications for Alvin and our clients

Our role in the African retail banking industry is to help banks reduce their costs when seeking to deploy features that help their retail customers pay back loans, save consistently toward their goals and access more local services via their digital banking app experience.

In light of this mission, being a Certified Data Controller and Data Processor yields the following advantages for our Kenyan operation:

• Expedited risk & compliance verification for banks integrating Alvin software. One of the pivotal steps when integrating to a bank as a vendor is enabling the bank’s risk & compliance teams to verify that it is safe to work with you. These certifications signify that Alvin Technologies is in good standing and this will make it easier for bank procurement departments to approve us as a vendor.
• Strengthened reputation and trust. The trustworthiness instilled by our certifications as a Data Controller and Data Processor not only fortifies the relationship between Alvin and bank clients but it also enhances the trust and confidence the bank’s retail customers can place in their bank knowing their data is being processed ethically.
• Risk mitigation: These certifications minimize each bank customer’s risk of non-compliance and its associated negative ramifications.

What’s next

We are additionally in the process of acquiring our SOC II Type 2 Certification to formally recognize our infrastructure as having effective bank-grade security against cybersecurity attack.

We’re also currently undergoing a review of our products in Nigeria for Nigerian banks and fintechs to ensure that our products there, too, fully comply with the newly instated Nigerian Data & Protection Act policies of 2023. We will publish news on both of these fronts publicly as well as update our customers directly once these processes are completed.