The issue of data protection has become increasingly complex, especially in developing nations where individuals often lack insight into how their personal information is managed. Understanding these nuances is crucial, as the actions taken by governments and financial institutions can have profound implications on personal privacy and data security.
Data protection rights cannot be meaningfully exercised without visibility into how personal data is processed. In developing countries, this lack of visibility increases the risk of individuals being monitored by public institutions before adequate legal protections are in place. A notable instance of this occurred in Kenya, where the implementation of the Huduma Namba Digital ID scheme was halted by the courts until robust legal safeguards could be established, illustrating how advancements in digital infrastructure can quickly outpace existing laws.
Advanced analytics now have the capability to draw a variety of conclusions from existing datasets. A prime example is the European Central Bank (ECB)’s AnaCredit dataset, which records loans granted to businesses rather than individuals. In 2025, the ECB acknowledged the possibility of identifying individuals when a business’s name includes a person’s name and address. This emphasizes how data collected at the institutional level can have personal data implications, especially with the rise of AI-driven analytics that blur the lines of what is classified as personal data through “inferred identities.”
Digital Payments and CBDCs
This concern is particularly prominent within payment systems. Traditionally, central banks have not had regular access to retail transaction data; however, this changes when they control retail payment systems or central bank digital currency (CBDC) systems that consolidate transaction flows. For instance, Brazil’s PIX fast payment system grants the Banco Central do Brasil oversight of all transactions conducted on the platform.
AI can derive insights from payments data that go beyond the purposes for which the data was originally collected. This has raised critical issues in digital payments and CBDC initiatives, as policymakers currently strive to balance data protection with legal mandates, such as anti-money laundering and counter-terrorist financing (AML/CTF) measures. Although the processing of personal data in this context is often justified under legal obligations or public interest, broad legal bases can still permit significant transactional analytics and inference-based profiling, including scoring or categorizing individuals.
The stakes are particularly high for developing economies. According to the World Bank’s AI supervision report, AI-driven credit scoring has gained traction in parts of Africa due to many consumers lacking formal credit histories. The risks become especially pronounced when AI flags lead to further scrutiny without adequate human oversight or avenues for contesting errors. In nations attempting to implement fast payment systems and CBDCs to improve financial inclusion and foster a digital economy, such misjudgments may have a disproportionately negative impact on those least equipped to challenge them. In this context, ineffective governance regarding inferences can discourage participation and thwart the very developmental goals these systems are intended to achieve.
What Should Change
As AI systems become more sophisticated and capable of acting on derived insights, it is essential to implement strong safeguards. These should encompass the insights produced, the actions initiated, and the vulnerabilities associated with AI-driven tools.
Addressing these issues should not be left solely to data protection legislation or emerging AI governance frameworks. They must also be managed through the regulations governing central bank functions, including payment systems and supervisory practices,1 along with actionable guidelines and governance strategies for AI tools.
Three priorities stand out for emerging market and developing economies (EMDEs):
- Institutional Transparency. Central banks should maintain a comprehensive inventory of AI-driven tools, detailing the purpose of each tool, the types or categories of personal data that may be processed, their influence on decisions, and whether they involve or rely on inferences about individuals, including those who did not directly provide their information.
- Meaningful Human Oversight. Oversight should stem from continuous risk assessments throughout the analytics lifecycle. This encompasses meaningful human intervention, independent reviews, impact assessments, auditable records, and avenues for contesting decisions. This is particularly critical in many developing nations where legal remedies may be limited or costly.
- Data Separation and Controls. Establishing clear rules for data sharing and reuse, enforcing access controls, and employing privacy-enhancing technologies can help mitigate function creep, prevent inference spillovers, and protect against the misuse of data for political control. In EMDEs, such safeguards should be proportionate, risk-based, and tailored to local capacities.
For central banks, establishing effective governance is vital for safeguarding personal data in the age of AI. The risk that these powerful technologies will outstrip existing oversight frameworks is both real and urgent. Nevertheless, by promoting institutional transparency, sustaining human oversight, and implementing stringent data controls, central banks can bolster their governance systems even as their inferential capabilities grow. The challenge moving forward lies in using these technologies to promote financial inclusion while maintaining public trust in digital transformations.
________________________
1 See: BIS (2025) Governance of AI Adoption in Central Banks and BIS (2025) Governance and Implementation of AI in Central Banks; IMF (2025) Working Paper Toolkit on AI Projects in Financial Supervisory Authorities; OECD (2024) Regulatory Approaches to AI in Finance and OECD (2026) Supervision of AI in Finance.
