PayJoy’s commitment to consumer privacy

By Jaideep Mirchandani, Chief Product Officer

In previous PayJoy blog posts, we highlighted the problem of lending to the underbanked and how PayJoy technologies are helping to solve this problem. Core technologies like the PayJoy Lock and Score enable our partners to reach underserved consumers by solving the collateral and credit scoring challenges. These consumers often don’t have other ways of getting the credit they badly need, especially in the current times of heightened liquidity risk.

The World Bank image below shows the severe lack of credit, especially in emerging markets. And this is before the COVID-19 crisis.

As we scale with our partners to serve more users, we believe it continues to be important that we protect the privacy of these users. We approach this holistically and have taken steps to safeguard user privacy in our products, our processes, and through collaborations with our partners. This post covers these aspects.

Let’s start with our products. To build products, we’ve tried to make conscious technology choices and have designed privacy into our products. We’ve been careful to use leading off-the-shelf technologies that have a strong roadmap. On the server side, we use public cloud infrastructure hosted on AWS. We use modern, public-key cryptography and https across the board so that we take maximum advantage of the innovation that will come on the world’s largest user infrastructure. 

In addition to best-in-class technology choices, we have implemented a layered approach (a best practice) to people and systems who access data. A good example of putting this to practice is with sensitive customer data. Quick recap: in markets where our Finance partners require a PayJoy Score to offer finance, we record a limited amount of such data (such as SMS) – with explicit user consent – for credit scoring. This ultimately enables financially excluded users to get and build credit in conditions where no alternatives exist. 

A small number of PayJoy employees access this data on a strict need-to-know basis, for instance, to build and test the systems that calculate or update a credit score. This data is hosted on separate servers with highly restricted access. The systems access this data via a modern, microservices architecture, which further limits access to a single, controlled interface.

In addition to layering, we proactively implement a data retention policy even when several governments (in our target markets) don’t mandate data retention policies. We wipe out all sensitive user data within 12 months of originally recording it. 

Let’s now consider PayJoy’s mobile apps. The PayJoy Lock is installed on the phones of end-users. The strength of this lock makes it possible for our Finance partners to be comfortable in lending money to underserved users by using the phone as collateral. Making the lock strong enough to withstand fraud requires PayJoy to have the right level of device locking capability during the term of the loan. We work with OEMs to enable the minimally required level of control  – while preserving user privacy – to enable device locking during the term of the loan.

Back to the end-user. To begin the process, our finance and retail partners explicitly describe the Lock-based financing model and its implications to the user. Users typically sign contracts to this effect. We don’t stop at human education. After this, the PayJoy mobile app discloses the device access we require and seeks user consent. We do this using a UI which clearly explains what capabilities we need and why. 

The app starts with an introduction and visual reminder of the reasons the PayJoy App needs locking capabilities (including device control required to lock). This is in clear language. The user has a clear choice to deny consent at each step of the process.

The user has the clear option not to activate. The PayJoy App reminds them (once) of the impact of declining, then makes it easy for the user to make the choice without further pop-ups or questions.

Another example comes from PayJoy’s anti-fraud measures. To protect the majority of our trustworthy and deserving users, PayJoy matches a National ID with a Selfie. Along the way, the app provides clear reasons why it takes this step. Once successful, it also auto-fills ID information into the subsequent application form to save the majority of our users error-prone and repetitive data-entry steps.

Let’s now consider our OEM collaborations. Overall, we see this as an opportunity to better serve our users. We work with OEMs in two technology modes. We either use the OEM’s Device Management software or we enable OEMs to use PayJoy Access. Access makes devices ready for PayJoy Lock-style financing when an OEM does not have the required Device Management software in place.

Consider Device Management mode. On Samsung phones, we use Samsung’s Knox Platform for Enterprise (KPE), a mature platform with extensive privacy controls. It also enforces added user transparency. Users clearly see the level of device controls and access required for the PayJoy software to run successfully. Once the term of the loan is completed, PayJoy gives up all control of the device.

Using PayJoy Access, OEMs update the phone’s firmware to ensure secure provisioning and activation of the PayJoy Lock. These updates prevent malicious parties from “breaking the lock” by disabling or removing the PayJoy software. It is important for the OEM to be fully aware of what the PayJoy software is doing and what access it has. To support this, PayJoy uses an open communication process to collaborate with OEMs. Specifically, PayJoy shares source code, design, and test documentation to help OEMs validate their implementation, as well as to understand PayJoy’s design. Our OEM partners such as d.light perform significant testing in-region to ensure that the Lock behaves optimally from the perspective of privacy and viability for consumer finance.

Finally, all devices that implement PayJoy Access pass Google’s Compatibility Test Suite (CTS), an industry expectation for Android devices. CTS covers OEM firmware including the OEM’s PayJoy Access implementations.

This then completes the cycle of designing and implementing privacy for our users. Through our use of leading off-the-shelf technology, open internet protocols, layered security and transparent OEM collaboration, PayJoy has worked to ensure the right balance of user privacy and a viable financing model. 

The Road Ahead:  We will continue our commitment to enhancing user privacy as we innovate with our financing model. Our plans include increased support for Data Location as these requirements get clarified by governments in our target markets. In addition, we will continue to take advantage of underlying platform improvements. For instance, we will fully support Android 11’s improved privacy controls. Finally, we will continue to experiment with requiring lighter device controls but serve our users in emerging markets with much-needed credit.