Data Privacy in Risk Management

In today’s economy where consumers routinely spend more of their lives online, precise intelligence on customer behavioral patterns is key to making smarter business decisions faster than the competition. The maxim holds true regardless of where a company operates; data acquisition, management, and analytics will continue to dictate how successful companies are in capturing their markets.

And for any internet company selling online services, experiences, or goods to their customers, the advantages of multi-country expansion are obvious. 

Despite the benefits of international presence, capturing market share and penetration in new geographies comes with its own barriers to entry; obstacles that bring additional risks to companies looking to broaden their customer reach. 

In a previous post, we’ve covered how global regulatory frameworks have evolved in the past few years, and how, in tandem, consumer sentiment toward online privacy has put growing numbers of companies under the compliance microscopes of policies like GDPR and CCPA. 

In this post, we’ll outline how local data laws add more complexity to the equation as companies expand into new markets, and propose an approach to mitigating compliance penalties when it comes to risk and fraud prevention.

Regulatory barriers to entry

On general principle, data regulations set the legal boundaries of what data companies can collect on a country’s constituents, how that data is to be collected, stored, and transferred between systems and servers, processes for recording data trails, what rights constituents have to know, use, and erase the data companies have gathered, and the penalties imposed for violations.

In some cases, requirements between frameworks are similar in scope (i.e. GDPR and CCPA), where the main distinctions between them are their physical jurisdictions and fine severity. Though there are dozens of other countries with starker differences between their regulatory frameworks, data localization is one that can mean the difference between compliance and violation.

Data localization can either be required directly by a particular compliance framework, or a by-product of how a company can stay compliant within a particular framework. This kind of data localization requires governed data to be stored and/or processed within the relevant physical jurisdiction and often requires explicit permission from the individual or the regulator for any inter-region data transfer.

Overview of regulations in key markets

Mexico and Brazil

Mexico has a population of ~130M, and Brazil has a population of ~213M. These two markets make up the bulk of consumers within Latin America and are often attractive entry points into the broader Latam market for foreign online businesses.

The Mexican government was early to the table when addressing the need for data privacy laws, recognizing the protection of personal data as a fundamental right in the Constitution since 2009/2010. Since, three norms make up the core of regulations facing the private sector: the Federal Law on Protection of Personal Data Held by Private Parties, the Regulations to the Federal Law on Protection of Personal Data Held by Private Parties, and the National Institute for Access to Information and Protection of Personal Data

Under these guidelines, to legally transfer personal data, data transfer agreements must be signed, and all data transfers to third parties, not processors, need to be informed through the privacy notice and consented to by data subjects.

The INAI is the national body tasked with upholding private company compliance, and in 2015 imposed a fine of MXN 32 million (approx. €1.4 million) on a financial institution for processing sensitive personal data without explicit written consent of the data subject. A Federal Court confirmed the resolution of the INAI, considering that the fine imposed was duly justified, proportional, and legal.

In 2020, the Brazilian General Data Protection Law (LGDP) entered into force and was the first comprehensive data protection regulation, broadly aligning with the EU GDPR. While penalties issued by the LGDP only became enforceable the following year, public authorities and data subjects could still enforce their rights around erasure and recording under the law beforehand. 

The Brazilian Senate in 2021 also approved the PEC (Proposed Amendment to the Consitution) including federal protection of personal data as a fundamental citizen right and is still pending legislation. 

India

With a growing population of 1.4B and 61,400 startups recognized as of 2022, India is one of the most lucrative markets for online companies. 

In 2021, the Indian government proposed a series of data and privacy regulations which in 2022 are expected to come to full effect. The Data Protection Bill, which has yet to become an actual law, has many of the same flavors as GDPR with an expanded scope to cover both non-personal and personal data, includes stringent breach reporting requirements (72 hours), and a phased implementation in which the government may notify companies for the enactment of different provisions. 

The Department of Science and Technology also issued “Guidelines for acquiring and producing geospatial data and geospatial data services including Maps2”, which restrict foreign entities from creating, owning, and storing certain types of geospatial data.

United States and European Union

Regulations here will seem familiar to most companies, as the GDPR (General Data Protection Regulation) in the past few years has become the standard on which other countries draft their regulations governing the protection of consumer data. 

GDPR governs how Data Controllers and Data Processors within the European Union collect and store data, and many companies applied near-identical frameworks to their US customers both to fulfill requirements of the CCPA (California Consumer Privacy Act) and usher in a high trust environment for customers in other states. 

Since January of 2021, total fines issued by EU authorities surpassed $1.2B, and more recently, California has formally started to build an agency dedicated to compliance enforcement and prosecution of violations. 

Simplifying the compliance equation for fraud prevention

Given the numerous privacy requirements companies must fulfill to operate in new markets, as well as those compliance requirements specific to their industry, entering a new region as a company and keeping compliant can seem daunting, nearly impossible. The same difficulties apply to long-established players in a region, as long as they process, store and collect the same kinds of consumer data which continue to lend an advantage. 

Specifically for companies with a built-out fraud risk function, these factors raise the challenge of collecting enough customer data to build accurate models which spell out the degree to which dollar losses from criminal activity can be expected and hopefully prevented. 

The Moonsense SDK provides ways these companies can shrink the risk of violation when dealing with data residency, transfer, and storage, while simultaneously giving companies fine-grained behavioral data which can form the basis of fine-tuned fraud models.

Robust in-house, first-party data collection

As fraud typologies grow in scope and dollar amounts, many companies that process data are also concerned about stemming fraud losses. Financial service institutions, global retail stores, software companies, and health care providers all face diverse types of fraud. Many rely on third-party software which pools global customer data in order to abstract away decisions involved in calculating fraud risk.

When it comes to regulations, we covered how important it is for companies to minimize inter-surface data risk to stay compliant. Because the Moonsense SDK allows companies to build functionality for first-party behavioral data capture into their own products, data collected here for fraud modeling stays within company control and is only subject to the privacy policies and consent of companies that use it, instead of a mix of third parties.

This radically simplifies the surface area in which valuable and legally actionable data is stored, making it much easier for risk functions to know exactly what data they have on consumers, who within their organization has access to it, and most importantly, who outside of their organization doesn’t.

Controlled data destination routing

We’ve also covered how important it is for companies to understand and control where their data is routed, particularly with the data of constituents in heavily regulated regions. 

To solve this, the Moonsense Cloud was built to architecturally support regional data ingestion. Once a device using the Moonsense SDK collects data, a second step is triggered to ask our backend where the data should be stored. By default, the backend responds with the closest location for service optimization but can be configured to route specific data to up to twenty-nine different global regions which largely line up with the Google Cloud regions.

This becomes incredibly powerful for a CISO or VP of Compliance wanting finer degrees of route control, as it allows data to automatically be sent to a location that falls within compliance requirements and handled by the best-equipped team to process it within a region.

Complete Control of User Behavioral Data Flow

These two capabilities allow companies to collect every bit of behavioral data they need for fraud modeling, keep it under their own legal roofs, and route it to the most sensible locations for compliance.

With these advantages, companies can now position themselves to enter new markets, capture customers within those regions, and minimize the risk of compliance violations from complexity fatigue. In a follow-up post, we’ll take a technical deep dive into how we support these capabilities architecturally.