Principle 3: Transparency
Digital finance companies communicate with users in a complete and meaningful way.
- People do not need to give up legal rights in order to use the service.
- The legally binding documentation does not require an end user to commit to resolve disputes via binding arbitration.
- The legally binding documentation does not require an end user to commit to give up their right to be part of a class action against the company.
- Company clearly discloses legally binding documentation.
- All legally binding documentation can be accessed from a single location accessible to users before creating an account or purchasing access to the service.
- Legally binding documentation is linked in site navigation on the company home page and the product overview page.
- User data rights are clearly disclosed before a person creates an account on the service.
- Company shares all applicable user data rights in short form disclosure that is accessible before a person creates an account on the service.
- Company discloses the use of data collection and/or data use that can be incorporated into a profile that supports secondary uses such as targeted advertising.
- Company discloses what user information is incorporated into data profiles that can support secondary uses.
- The company provides a clear explanation of how users can control whether their information is incorporated into a data profile.
- Company does not engage in network growth hacking (sharing contacts to the app) unless doing so is a feature of the app (e.g., for P2P payment services)
- Data sales or transfers are opt in by default, with clearly defined processes in legally binding documentation to give and withdraw consent.
- Users understand product’s business model.
- Company transparently shares business model.
- Company shares how it earns revenue.
- Users understand how the company earns its revenue.
- Company transparently shares staff incentives.
- Fees are transparently shared with consumers in a meaningful way.
- Users receive in-app notifications of fees at appropriate times when interacting with the service.
- User data rights are transparently shared with consumers in a meaningful way.
- Users receive in-app notifications of data rights at appropriate times when interacting with the service.
- Users are provided with clear notification of the data collected and its intended use.
- Implementation is responsible about third-party software integrations that may not have the same amount of transparency.
- Data end points are disclosed.
- The company evaluates their security practices, and is transparent about their security practices.
- The company publicly shares their comprehensive information security program in a prominent location that is linked from their home page and product page.
- The company shares results of periodic risk assessments that identify internal and external risks to the security, confidentiality, and integrity of customer information.
- The company notifies appropriate authorities and those affected when a cybersecurity incident occurs.
- The company commits in legally binding documentation to notify the relevant authorities within 36 hours, or as required by statute, when a cybersecurity incident occurs.
- The company clearly discloses its process and timeline for notifying users who might experience a disruption in service, monetary loss, or identity theft due to a cybersecurity incident.
- The company clearly discloses what steps it will take to address the impact of a cybersecurity incident on its users.
- The company maintains a service status dashboard so people can see if and when the service is impacted by outages in real time.
- The product or service is marketed fairly and accurately.
- Marketing materials help potential users clearly understand both risks and benefits.
- Marketing materials make all disclaimers required by law.
- Company explains the service to users in a meaningful way.
- Services are explained in a legal document.
- Services are clearly explained in a meaningful way throughout the user experience.
- Transaction speed (time it takes to complete a typical transaction as defined by the product: loan approval for credit, claims processing for insurance, deposit for savings, payment completion for payments) is disclosed in a legally binding document.
- The company commits to notify users about changes to the service.
- The company discloses how and when users will be directly notified of changes to the service(s).
- Use of ML/AI is clearly explainable and equitable.
- Company clearly discloses how and when ML/AI is used.
- Company discloses what factors are considered in ML/AI.
- The right for users to challenge automated decisions is defined in a legally binding document.
- Procedure to challenge automated decisions is clearly documented and accessible.
- Company takes efforts to ensure ML/AI is being trained/retrained to root out/un-learn bias/to not replicate inherent systemic barriers/discrimination.
- The company commissions and releases the results of third-party equity audits on its use of ML/AI.