In this first post of a two-part series, we’ll cover how some recent developments in user privacy regulations impact teams tasked with defining their organizational fraud mitigation strategy. The second part of this series will address what those organizations can do to stay compliant while preventing negative repercussions of large-scale fraud.
A more private future
Within the past five years, following mandatory data privacy regulations has become a primary business concern for companies in the financial sector. In tandem, consumer demands for better online privacy and corporate data governance continue to grow.
In 2018, the EU’s General Data Protection Regulation (GDPR) was enacted to hold businesses accountable when dealing with the personal data of Union citizens. Within a year, it became the de-facto global standard for how businesses should store and process personal data of their “subjects”.
This regulation was yet another added to an already exhaustive list of mandatory legal frameworks financial services companies must abide by, which include SOX, PCI DSS, BSA, GLBA, FINRA, and PSD 2 among others, all of which have varying requirements and penalty fines.
Then in 2020, a global pandemic meant consumers were forced to move more of their day-to-day tasks online (ie banking services), accelerating an already pressing need for companies to manage volumetric spikes in customer data within legal requirements.
And more recently, platforms like Apple and Google have tilted their product features into a trend toward a more private and protected internet. Changes like Safari’s new fingerprinting prevention, “social widget” prevention (ie Facebook’s “like” button plugin), and Android’s elimination of user & device level identifiers in cross-app advertising campaigns are but a few rollouts which will likely influence more companies to prevent third-parties from collecting personal data of their customers and devices.
Navigating these challenges with consumer privacy and data regulation is likely to grow more complex in the future, particularly for leaders at financial institutions who have dual responsibilities to protect their customers from fraud and shrink company dollar loss from online attacks.
How data regulation and privacy affects fraud prevention
Often, financial services companies ask themselves how they can stay ahead of evolving regulatory requirements through their use of third-party tooling.
At the same time, those companies look to third-party tools to strike a delicate balance between catering to the growing industry and consumer sentiments toward online privacy and safeguarding themselves and their customers from external attackers and fraudsters.
This balance is not only delicate but difficult to achieve. Virtually every third-party company which prevents online fraud incidents by external actors relies on capturing massive volumes of numerous data types on users that are in many cases, not their customers. Once that data is captured, these tools interpret and model it to predict the likelihood of fraud happening in certain circumstances.
For example, to prevent fraudulent credit card transactions, many fraud prevention vendors which practice third-party data gathering have models which, at a minimum tie an email address to a physical address, to the location and time at login and transaction, and to the transactional history of that user across all other applications plugged into their global data network.
If the majority of consumers were aware of this practice, would they think this kind of third-party data gossip and secret profiling of their behaviors represents a move toward a more private internet? How would they perceive companies that employ these practices from a trust standpoint?
And given the tendency for regulatory frameworks to expand in scope as a consumer and corporate fraud dollar loss grows year after year, are the companies that employ these global data networks concerned about the privacy practices of external parties holding data on their own customers?
It’s a difficult position. Many companies are aware of the risks in using global data networks but simply aren’t aware of alternative approaches in striking the balance between fraud prevention, consumer protection, and service privatization against regulatory requirements.
To better understand how a fraud or risk organization can adapt its strategies to align with this growing need for better data governance and user privacy, let’s review some terminology and distinctions between the types of data companies collect on consumers.
Data Classification: First-Party and Third-Party
First-Party Data
First-party data is any data a consumer provides directly to a company (the first-party) with their explicit consent, in exchange for usage of the products or services that the company offers.
This includes personal details like name, social security number, phone number, physical and email addresses, and other data a consumer would provide to a banking institution when opening an account for example.
Customers provide this data because they understand it is needed by the company in order to provide them with product utility or service access, like personalized banking experiences or account protection.
These data types and how they are to be used are typically included in the company’s Terms of Service and Privacy Policy.
Third-Party Data
In contrast with first-party data, third-party data is user data or details sold to or shared with another company (the third-party).
This kind of data is often aggregated by fraud mitigation vendors from their customers as a way for their customers to leverage a broader data network when assessing their own users for fraud incidents through the tools.
Consumers are often unaware that data gathered on their behavior and identity is being shared with these third parties, and this data is often collected without explicit consumer awareness of it being shared.
De-risk Compliance with First-party Data
Given the current climate of consumer privacy, companies under heavy regulation can adopt alternative methods to third-party data aggregation when refining their fraud mitigation strategy. The use of first-party data as a way to de-risk reliance on gray area data consent is one of those approaches.
In the next part of this two-part of this series, we’ll outline some practical steps an organization can take to work first-party data into their strategies and stay a step ahead of their compliance requirements.