Savings and Credit Cooperative Organizations (SACCOs) across Africa are digitizing rapidly. From the use of digital core banking systems to customer support, omnichannel payment gateways and tech-enabled information management systems, SACCOs are transforming decades-old business models, enabling greater efficiencies and results for their members. However, with this change comes risks in data privacy and security — which many SACCOs have failed to properly remedy so far, and with potentially disastrous consequences.

Digitizing The Analog

SACCOs have, for a long time, been community-led societies run through simple, traditional methods that include numerous forms to be filled, thousands of physical records and constant walk-ins at the office. But this is slowly changing in the wake of digital banking and a continuously evolving financial system, and this begins with government-enabled mechanisms. Rwanda dipped its feet into automated SACCO activities in 2020 with the rollout of core banking system software aimed at serving public and private SACCOs within the country. Ghana utilizes a shared Management Information System, the Credit Union Software (CUSOFT) that is aimed at automating the processes in credit unions. Yet the case in Ghana, where the system has hardly been updated since its launch in 2012, is one example where mere regulatory push may not be enough to realize the full benefits of digitization and keep up with evolving trends.

Source: WOCCU Statistical Report

In neighboring Nigeria, innovations have gone outside the box and into decentralized finance (DeFi). Xend Finance, a Nigeria-based startup, has introduced blockchain-enabled systems for credit unions to counter inflation. They provide both web-based and app-based systems that allow table banking and dividend disbursement while allowing individuals and groups to transact in stablecoin and receive higher returns. Xend Finance is yet to introduce loan processing and disbursement features, according to Ogechukwu Aronu, CEO of Xend Finance, but such features are on the way.

Xend finance’s next stop is Kenya, and its innovations will likely find a place in the country’s ecosystem of vendors. Whereas Ghana and Rwanda’s SACCOs use a centralized core banking system, Kenya’s SACCOs utilize several systems from multiple competing vendors. Vendors in the marketplace include Coretec, Fibo360, Craft Silicon and Amtech, all of which package software into different modules to sell to SACCOs across the country. Offerings range from automation of administrative tasks to information management, core banking systems and mobile banking capabilities. To better serve remote areas and facilitate improved connectivity, such vendors often include offline options and inter-branch operations for SACCOs spanning different locales.

With these newfound capabilities, SACCOs in Kenya are beginning to evolve from community-oriented groups with limited loan options to neobanks that offer multiple financial products to their members. Multiple members of different SACCOs in Kenya note that they haven’t gone to a SACCO office for years — and some even since they joined the SACCO. Through their mobile phones, SACCO members can access loan applications, savings, statement viewing and even inquiries and complaints. Proximity to the SACCO office and other members may still be important for select activities, including getting guarantors to sign loan application forms and first-time registration for many SACCOs. This, however, is bound to change in Kenya and the rest of Africa as SACCOs continue to embrace digital systems.

Source: Interface for Coretec, a software vendor serving SACCOs

The shift to digital systems is a pivotal step for SACCOs to compete with banks as savings and loan-disbursing options for users, especially as interest ranks from banks become more competitive. Sophisticated digital systems enable SACCOs to scale by increasing their reach past geographical boundaries while providing granular data that can be used by SACCO management teams to create new competitive products for the members.

Yet this digitization of once-informal financial institutions has not come without its gaps in security, which already have resulted in losses of millions of dollars. As the rest of Africa digitizes SACCO systems, Kenya serves as a cautionary tale in this respect.

Data Security — At A Cost

Digital systems are vulnerable to attacks both online and offline, and previously analog SACCOs are learning this the hard way. SACCOs in Kenya have faced data breaches which led to the loss of $928,000 over a year and a half through March 2021, according to the Central Bank of Kenya — which is likely an underestimate considering unreported breaches. Such a trend is not isolated to Kenya alone. A report by Black Kite found that 86% of credit unions and 76% of vendors in the US have breached employee credentials available on the Dark Web, with 66% of credit unions and 88% of vendors failing to deploy the necessary configurations to prevent email spoofing attacks. This ticking time bomb, together with other security threats facing credit unions in the US, could have a financial impact of about $1.2 million for large credit unions and $190,000 for the smaller ones. Yet the data security issues faced by SACCOs in Africa go beyond cyber-attacks.

In conversations with half a dozen employees in several African SACCOs, a major reason cited by many small SACCOs for insufficient data security is the expenses involved in commissioning the requisite software options. Vendors selling software in Kenya have different features packaged into modules for purchase. At the lowest tier of many vendor options is an offline software package that requires manual entry of information, such as loan repayments and contributions to individual accounts. One SACCO employee, who wished to remain anonymous, admits to having an offline and outdated system that they know is unsafe but is all the SACCO could afford. Per his admission, their system is “one burglary or fire incident away” from massive data losses.

Aside from breaches, the data management systems are subject to human error, in which some transactions may be missed without an automated system. The aforementioned employee keeps backups of the data, and the SACCO allows members to request their statements at any time — but the risk of data loss remains significant.

The cost of software available in the market depends on the software’s capabilities, the size of the SACCO and its number of employees. With initial costs ranging anywhere between $1,000 and $10,000 in the Kenyan market, SACCOs also have to factor in maintenance costs, training and support costs, further driving up the overall cost of these systems.

With high prices rendering key features such as cloud computing and real-time transaction updates unavailable for smaller SACCOs, digitization remains far short of its conceptual promise. A collaborative approach among SACCOs may be the answer, a potential solution already seen in Nairobi’s Catholic Church self-help groups, in which individual groups were all brought together under one system, the Caritas Microfinance Bank. Software was then commissioned to be used by each group, effectively subsidizing their costs depending on the size of the group and its activities while still benefiting from a highly secure and sophisticated system.

The Human Touch

In financial situations where SACCOs can afford to invest in more capable digital products and software, the risks of data loss and data input errors are reduced by incorporating robust data validation techniques and safe cloud backup options. However, as Dr. Jerotich Sirma, a lecturer at Egerton University, tells Mondato Insight, SACCOs are still exposed to some risk.

“[SACCOs’] biggest, weakest link is not the technology, per se — it’s the human aspect.”
Dr. Jerotich Sirma, Information Security Systems Lecturer at Egerton University, Kenya

SACCO employees often have access to member information with the ability to input or modify data. This is once again borne out of the SACCO’s inability to purchase the software models that include intricate access controls that provide approval requirements and limit employee access to only what is necessary. Cases of employee ignorance where passwords are shared also contribute to further endanger SACCO members’ information and contributions. Though human interference is endemic to any organization large and small, the inadequate digital tools and poor training at SACCOs has given way to a culture of corruption and employee malfeasance that goes unchecked due to the prevailing hybrid analog-digital SACCO operations lacking in automation.

With an under-reporting of cybercrime by SACCOs and the lack of knowledge among members, it is difficult to know what to look for to determine how secure a SACCO is. Reliance on the Internet and community word of mouth in selecting a SACCO among potential members has made maintaining a positive reputation a necessity for SACCOs, and possible — including the omission of prior data breach incidents, according to SACCO employees in Kenya. As the traditionally community-oriented approach of SACCOs gives way to digitization and its ability to broaden operations beyond close-knit communities, members’ trust in SACCOs becomes more a matter of perception than in-person relationships, and not necessarily for the better.

While most SACCOs that use software in their daily activities tend to have a policy governing cyber security, implementing it is often a challenge. A report on the state of cyber security in Kenya by Serianu Ltd. showed that over 60% of those surveyed did not conduct frequent cyber-breach scenario testing. A third said they never conducted the testing, making them ill-prepared for an actual attack.

Source: Serianu Ltd.

Often, these digital systems have been implemented without the necessary training of employees to manage them properly, according to Dr. Jerotich. A constantly evolving data security and management culture is yet to be fostered in many SACCOs. Rather than simply relying on whatever digital systems are in place, SACCOs must remain vigilant in staying updated on new trends in cyber-attacks and putting in place access control mechanisms that protect member information, while implementing simple reforms like immediately revoking data access to departing employees. As for the vendors’ product prices, there are two options: either let the market mature as more competition emerges with better solutions and prices to match or follow Rwanda’s lead and commission subsidized software that leverage economies of scale to facilitate access to better digital systems for smaller SACCOs.

Digitizing traditionally analog institutions like SACCOs is a process with intermediate stages often rife with inefficiencies and risks. It will take time for prices of secure systems to reach approachable levels for smaller SACCOs, but these dynamics are not really any different than the struggle to provide meaningful, secure digital solutions for individuals and small merchants in rural and poorer locales. The question remains whether hybrid operational systems can be a smooth steppingstone in truly transforming SACCOs for the better towards a community-driven, neobanking future – or if its security lapses spell doom for what has historically been SACCOs’ greatest strength: its trust among community members. How this evolution continues will determine much for whether SACCOs continue to carve a unique and essential role in local financial ecosystems in a truly digitized environment.

Image courtesy of Muhammadtaha Ibrahim Ma’aji
Click here to subscribe and receive a weekly Mondato Insight directly to your inbox.