One market, many regulators: the coordination gap
Maria has no choice: she’s going to miss her monthly payment on her small-dollar loan by a few days. It has been a hard spell for her hairdressing business and the price of her son’s medicines unexpectedly doubled. But within minutes of missing her payment, the digital company that made her loan has messaged her friends, her mother and her pastor and posted on Maria’s own social media accounts – embarrassing messages saying “I’m a deadbeat” and worse.
When Maria applied for her loan, she unwittingly gave the lender access to her phone’s data, manipulated by dark patterns and other tricks to surrender her most sensitive personal data and applications. Now that lender is deploying it in a campaign of humiliation and harassment, compounding Maria’s misery.
This is a real phenomenon, one that has only grown more widespread and severe as hundreds of millions of consumers across the developing world have gained access to digital tools. And it’s one that continues to persist in part because of the lack of coordination and collaboration between the 2 regulatory sectors most directly empowered to stop it – data protection and financial services.
Digital financial services have transformed how hundreds of millions of people save, borrow and pay. Mobile money and digital credit are expanding access to formal finance at a pace that would have seemed implausible a decade ago. Yet the overlapping regulatory frameworks governing these services are not always keeping up with technology – or with each other.
Data protection regulators and financial regulators operate under separate mandates, enforcing different laws and working in distinct institutional cultures. In practice, this means the same providers, products and transactions are subject to multiple requirements on data collection, retention, consent and sharing – requirements that are not always straightforward to reconcile and are sometimes in tension. Navigating this fragmented landscape raises compliance costs and creates uncertainty; this falls hardest on the smallest and newest companies, with downstream consequences for competition and innovation. For consumers, fragmented regulation can mean unclear rights and redress and gaps in supervision and enforcement can leave open opportunities for predatory digital lending, fraud and unchecked data harvesting.
These are not abstract concerns. Credit-shaming practices – where digital lenders demand broad access to a borrower’s contacts and social media, then use that access for invasive debt collection – have been documented across Africa and Asia. Fraud is surging and the tensions between data minimisation principles and financial regulators’ requirements to collect and retain data (eg for anti-money laundering and credit assessment) and what that means for use and sharing of those data, remain largely unresolved.
These are the challenges that brought more than 50 participants from data protection authorities, central banks, international organisations and the private sector across Africa, Asia, Latin America and Europe to Kigali, Rwanda on 9 March 2026 for a full-day cross-regulatory workshop. Convened by Financial Innovation for Impact (Fii) and the Cambridge Centre for Alternative Finance (CCAF) at Cambridge Judge Business School, with support from the Gates Foundation, the workshop (conducted under the Chatham House Rule) was part of a broader research programme examining how data protection and financial regulation intersect in the governance of digital financial services, both globally and with a focus on 10 developing countries.
What we heard: 6 key takeaways
1
Privacy and financial inclusion are not in competition
The central message of the day was that data protection and financial inclusion must be designed together, not traded off against each other. Fragmented regulation creates the illusion of a choice between the 2. In reality, privacy safeguards can underpin the trust that drives adoption of formal financial services, while well-designed financial regulation can create the data governance conditions under which responsible innovation thrives. The challenge is one of regulatory design, not a tug-of-war between competing objectives.
2
Trust is a systemic property, not a product feature
Participants returned repeatedly to the idea that trust cannot be engineered by individual firms or regulators alone. It is a property of the system as a whole: dependent on institutional credibility, consumer understanding and accountability frameworks working in concert. Digital finance and the regulatory framework that supports it, must offer real assurances to earn consumers’ trust or risk a reversion to cash or informal channels, a trend some participants reported as already visible in their jurisdictions.
3
Coordination is broadly desired but structurally difficult
There is genuine appetite for cross-regulatory collaboration, but significant obstacles remain. Siloed mandates, capacity gaps, different institutional cultures and legal vocabularies and the absence of mechanisms to sustain coordination beyond initial memoranda of understanding all make joined-up oversight harder than it sounds. Promising case studies were discussed as instructive, though participants were clear that context matters and no model transfers wholesale.
4
Standards can be a powerful coordination tool
Standard-setting activity emerged as a potential multi-purpose instrument: motivating regulatory coordination, shaping market behaviour and serving as a platform for regional harmonisation. Participants shared an expansive view of what standards could achieve, while cautioning against overly prescriptive approaches that ignore local capacity constraints. Joint guidance between data protection and financial regulators was identified as a practical near-term step that could signal alignment and reduce uncertainty for market participants.
5
Cross-border harmonisation is vital but must respect local context
Concrete examples brought the benefits of harmonisation to life, both in and beyond the financial sector context. But harmonisation was also treated with caution: participants warned against top-down approaches that ignore domestic legal frameworks and institutional realities. Adequacy determinations, which govern whether personal data can be transferred between jurisdictions, were singled out as a particularly intractable but consequential area, with real-world examples of absent adequacy arrangements impeding fintech operations and regional expansion.
6
Capacity is the binding constraint
Across virtually every topic, participants returned to the challenge of limited institutional capacity: within regulators, the judiciary, law enforcement and among consumers. Many data protection authorities are less than a decade old, operating on small budgets and carrying less institutional weight than central banks with decades of established authority. Building capacity was seen as a precondition for effective coordination, not a secondary concern. Participants challenged conventional training approaches, advocating instead for peer exchange, secondments across regulatory areas and learning embedded in practice.
What comes next: first steps towards joined-up regulation
One of the clearest messages from Kigali was that coordination should not be pursued as an abstract procedural exercise. It is most likely to succeed – and to build lasting institutional muscle in the process – when organised around specific, urgent problems. Fraud and open finance were identified as the most promising entry points: domains where the case for joint regulatory action is immediate, the potential benefits are tangible and the political conditions for cooperation are most favourable.
We also heard a strong call for an evidence-based coordination blueprint: a diagnostic and roadmap tool that helps regulators assess where they stand, prioritise next steps and measure progress over time. Treating coordination as a maturity journey, in which foundational steps enable and reinforce more ambitious ones, was a framing that resonated across the room.
Get involved
These insights will feed directly into CCAF and Fii’s globe-spanning initiative-tackling the join-up of data protection and financial regulation, which will lay out practical, context-sensitive recommendations for strengthening cross-regulatory coordination at the national, regional and global levels. Future workshops will deepen the analysis of specific thematic areas and test emerging findings. In parallel, CCAF and Fii are conducting country-level assessments of our 10 focus jurisdictions, mapping global initiatives and developing a quantifiable framework to assess the harms and missed opportunities created by regulatory fragmentation. The programme’s learnings will be consolidated into a comprehensive report due to be published in the latter half of this year.
If you are a regulator, policymaker, researcher or practitioner working at the intersection of data protection and financial services, we want to hear from you. The research programme is actively seeking input on the practical coordination challenges that regulators face in their jurisdictions and on the thematic areas explored in this workshop.
Contact the team at [email TBC] and join CCAF’s mailing list for updates on the programme and forthcoming publications.
About the Kigali workshop
The Kigali workshop was conducted under the Chatham House Rule. This post reflects the substance of the discussions without attributing views to individual participants or organisations. The views expressed are those of the authors and do not necessarily represent the views of the Gates Foundation, the Cambridge Centre for Alternative Finance, the University of Cambridge, or Financial Innovation for Impact.
Featured authors
Max Bentovim
Data Protection Lead, Financial Innovation for Impact (Fii)
Yue Wu
Data Scientist, Cambridge Centre for Alternative Finance (CCAF)
Tanya Ghuman
Research Analyst, Financial Innovation for Impact (Fii)
[Additional authors TBC]
Further reading
Read our report on the intersection of digital public infrastructure and digital finance.
Read our report on the future of global fintech.
Learn more about Financial Innovation for Impact.
Related articles
Finance and accounting
Where AI meets blockchain: assets, agents and blind spots
An analysis of AI and blockchain convergence, covering compute infrastructure, crypto assets, autonomous agents and emerging policy challenges by Wenbin Wu, Research Associate at the Cambridge Centre for Alternative Finance.
Finance and accounting
Crypto privacy after sanctions – the return of coin mixers
Crypto mixers are back but different, say Wenbin Wu and Keith Bear from the Cambridge Centre for Alternative Finance (CCAF), Cambridge Judge Business School. After 2022 sanctions scattered the market, compliant privacy protocols now dominate.
Industry leaders face a choice: act now or risk the integrity of blockchain-based markets and digital currencies, says Wenbin Wu, Research Associate at the Cambridge Centre for Alternative Finance (CCAF), Cambridge Judge Business School. Here we reveal regulators’ and policymakers’ bridging roles for quantum-resilient blockchains, and the importance of collaboration by technologists, economists, and regulators in the quantum age of financial technology.