Blundered CBE Plunders Privacy Naming, Blaming and Shaming for a Glitch's Recovery

Apr 6 , 2024.

In a rather unsettling turn of events, the state-owned Commercial Bank of Ethiopia (CBE), under the management of its President, Abie Sano, found itself embroiled in controversy after taking an unconventional approach to dealing with a recent financial mishap. The glitch, which allowed transactions to be credited without corresponding debits, purportedly resulted in a staggering loss of an astronomical amount of Birr within a brief window.

While the Bank's President has acknowledged transactions nearing a billion Birr during this period, estimates from sources close to the debacle suggest the figure could be much higher. There is an industry-wide speculation of insider involvement, and serious concerns are being raised about the integrity of CBE’s systems and the adequacy of its internal controls.

Despite the substantial financial losses, CBE's failure to hold any of its personnel accountable – from senior executives to IT staff – should deepen concerns about responsibility and governance within Ethiopia's largest financial institution. What is more worrisome should be how Abie and his team have managed the crisis, which is unhelpful, bordering unethical, if not unlawful. Not surprisingly, the turbulence has prompted regulators at the National Bank of Ethiopia (NBE) to initiate a sweeping investigation. It is now upon the CBE's Board of Directors, chaired by Finance Minister Ahmed Shedie, to commission a comprehensive audit of the Bank's technology assets and infrastructure to prevent further occurrences.

Meanwhile, to address a system glitch that permitted unauthorised fund transfers, the Bank resorted to publicly shaming some of its depositors. Abie's unorthodox act included a decision to publish the names, account details, and photographs of individuals — many of whom are college students — on CBE's website and banners displayed at branch entrances. CBE justified this unconventional tactic to shame those who allegedly exploited a system malfunction to transfer funds improperly.

The public denouncement apparently aimed to castigate those alleged to have withdrawn or overdrawn funds due to the technical failure, capitalising on the Bank’s momentary vulnerability.

However, the Bank's series of actions, ostensibly to recoup losses incurred from the system glitch, has ignited a firestorm of controversy in some quarters but not as much public outcry. Sadly, few appear to appreciate the broader implications of violating the sanctity of individual privacy. The decision to publicly disclose depositors' information treads on controversial grounds. It not only breaches norms of privacy and data protection but also poses legal and ethical questions.

The broader implications of CBE’s actions extend into the issues of data privacy and individual rights.

In Ethiopia, like in many jurisdictions, entities that handle personal data, whether public or private, are expected to do so with the utmost care and confidentiality. The expectation of privacy is a contractual and legal right that, when violated, can erode trust and damage reputations. Ethiopia’s privacy laws, still in their nascent stages, offer a framework for protecting personal data, yet the enforcement and cultural appreciation of these rights remain underdeveloped.

The CBE debacle reveals this critical gap in the country’s legal and regulatory framework about data protection and privacy, an increasingly untenable void in the digital age. It is a no-brainer that socioeconomic, cultural, and political factors influence society’s understanding and valuation of privacy. Historically, the Ethiopian communal way of life, coupled with a long account of authoritarian rule, has stunted the development of a robust privacy culture.

However, the proliferation of digital technology and the increasing digitisation of personal information force a reexamination of privacy norms. Yet, despite these shifts, the legal and institutional mechanisms necessary to protect privacy remain lacking. Federal and regional agencies, as well as public enterprises such as Ethio-telecom, are endowed with significant powers to collect and manage personal data and operate in a regulatory vacuum that should raise serious privacy concerns. The situation is compounded by the use of surveillance technologies without adequate legislative oversight, further encroaching on individual rights and liberty.

The incident with CBE should serve as a grim reminder of Ethiopia's privacy challenges.

It reflects the need for a more comprehensive and enforced legal framework for data protection, urging a broader cultural shift towards valuing and safeguarding personal information. The imperative to align privacy and data protection laws with international standards becomes increasingly urgent. The ongoing effort to establish a federal commission tasked with the responsibilities of ensuring personal data are protected may mark a meaningful step forward. Yet, the effectiveness of this body and the broader legal framework remains to be seen.

Ethiopia's data privacy and protection approach is less cohesive than global standards, such as the European Union's General Data Protection Regulation (GDPR). While there are parallels in the emphasis on individual rights and data security, the EU's stringent enforcement mechanisms and comprehensive scope show the gaps in Ethiopia's current framework. For commercial banks like the CBE, operating in this fragmented legal environment provides undue space for trampling customer data without regard to compliance with domestic and international standards.

The controversy enveloping the CBE casts a shadow over the Bank's operational integrity and the overriding culture of commitment to privacy and data protection. The Bank's decision to publicly shame its depositors, irrespective of the intentions behind it, undermines the trust essential to the banker-customer relationship. It demonstrates a grave misjudgment by Abie and his team, exposing an utter disregard for legal norms and ethical standards in the pursuit of accountability. The result exposes the degree of their impunity, accountability and absence of transparency.

The incident should also serve as a clarion call for Ethiopia's legislators and the authorities to strengthen legal and regulatory frameworks governing privacy and data protection. Doing so is about compliance with international norms, if not encouraging a culture of respect for individual rights and building trust in the digital economy. The path forward requires efforts beyond legislative actions.

A societal shift towards valuing privacy as a fundamental right would be the duties of institutions like the CBE.

The recent incident can prompt a reevaluation of practices, policies, and the ethical underpinnings of operations by those who are custodians of citizens' data. Through these efforts to address inadequate literacy, lacking culture, fragmented laws, and the presence of a federal agency with regulatory oversight on data privacy and protection, Ethiopia can hope to build a digital economy that is dynamic, trustworthy, and respectful of individual rights.

PUBLISHED ON Apr 06,2024 [ VOL 25 , NO 1249]

How useful was this post?

Click on a star to rate it!

Average rating 3.7 / 5. Vote count: 3

No votes so far! Be the first to rate this post.

Put your comments here

N.B: A submit button will appear once you fill out all the required fields.

Editors' Pick

Fortune news