GDPR: A shield for consumers, a shackle for fraud fighters?

Introduction

The General Data Protection Regulation (GDPR) was enacted with noble intentions—to safeguard individual privacy and empower consumers. Ironically, in the battle against financial fraud, its unintended consequences hinder banks’ ability to protect consumers. Instead of a shield, it has become an obstacle.

The most significant challenge circles around data collection and processing. When companies collect and process personal data, they must ensure compliance with regulations such as the GDPR. This means they must thoroughly understand the why and how they collect and process data. However, this can create challenges in the anti-fraud industry, where data collection limitations and its use are even more impactful. Data collection and processing are fundamental to fraud tracking, detection, and real-time analysis, making GDPR restrictions particularly impeding in this context.

Conflicting objectives: Privacy vs. Protection

Financial institutions have an unwavering ethical and legal responsibility to safeguard customer assets. Yet, fear of excessive GDPR penalties has created a climate of hesitancy and hindered the full use of available anti-fraud technologies. The delicate balance between data privacy and security has been severely disrupted.

Legitimate interests – Lost at Sea

While GDPR includes “legitimate interests” as a lawful basis for data processing, including fraud prevention (Article 47), this provision is dangerously vague. The need for specific guidelines for the financial sector breeds uncertainty. Corporations need a compass to navigate these murky waters, often opting for overly cautious approaches that compromise customer protection.

The crippling fear of fines

Massive potential GDPR fines exacerbate the problem. Penalties reaching up to €20 million or 4% of global annual turnover far exceed the average losses caused by many fraudulent activities. This disproportionate risk calculus forces banks to prioritize avoiding regulatory burdens instead of deploying robust fraud prevention measures, leaving customers more vulnerable to criminals.

Charting a path through the regulatory maze

How can banks navigate this? Here are critical action points:

• Transparency is essential: Privacy policies must be crystal clear about the necessity of using data for fraud detection, highlighting consumer benefits.
• Purpose-driven and proportionate: Data use must be strictly limited to what is essential for fraud detection, prioritizing protecting sensitive information. Data minimization must be actively practiced.
• Overcoming internal misconceptions: Education is crucial. Teams must understand the lawful basis for fraud prevention under GDPR to avoid unfounded timidity.
• Collaboration for clarity: Banks must actively engage with regulators for sector-specific guidance on fraud prevention and permissible data use within the GDPR framework.
• Beyond mere assertion: Financial institutions cannot simply claim “legitimate interest.” They must proactively document and justify their fraud prevention measures, demonstrating why specific data is necessary and how processing balances consumer protection and privacy.
• Implement robust encryption practices: Encrypt sensitive data at rest and in transit to demonstrate a commitment to the security of customer information. GDPR explicitly endorses encryption as a vital security measure.

A case in point

Julien Laurent, Group-IB’s senior anti-fraud expert who molds significant strategies and technology development for fraud prevention, has a case to present on the analysis of privacy policies. While plenty of excellent privacy policies are publicly available. Julien draws references from reading half a dozen DPAs of global banks, paying particular attention to his own. DPAs provide good clarity to the customers on why and how they monitor data. It demonstrates the following:

• Legitimate interest: The notice mentions using customer information to “prevent or detect crime, including fraud and money laundering.” This aligns with Article 6(1)(f) of the GDPR, which permits processing data based on the “legitimate interests” of the data controller; fraud prevention is undeniably a legitimate interest for financial institutions.
• Automated decision-making: The notice states they use “automated systems to help them make decisions about their customers, for example, to carry out fraud and money laundering checks.” Transparency around automated decision-making is essential under GDPR (specifically Article 22), as individuals can object to automated decisions that significantly affect them.
• Unambiguous consent: Crucially, by accepting their Privacy Notice, which clearly outlines these practices, customers provide unambiguous consent for using their data in fraud prevention activities.

As an anti-fraud professional with retail and corporate accounts with the bank, Julien conducted several tests and found that the bank may not utilize all available data points that modern fraud protection solutions can process to detect certain fraud cases. However, it’s noted that the bank’s marketing team might be leveraging these data points.

The data dilemma: growth vs. security in the age of customer insights

Meanwhile, most marketing departments are armed with sophisticated data analytics, seeking to personalize offerings and drive customer engagement, leading to increased business growth. Every transaction, every click, and every interaction with a bank’s platform becomes a valuable data point. 

This data encompasses a wide range of information, including:

• Personal demographics: Age, income, location, marital status – these factors paint a picture of a customer’s life stage and potential financial needs.
• Financial profile: Account balances, spending habits, credit history – understanding a customer’s financial health allows for targeted offerings like loans, investments, or credit cards.
• Behavioral data: Website and app usage, transaction patterns, channel preferences – this data reveals a customer’s digital footprint, providing insights into their financial behavior and preferred communication methods.
• External data: Market trends, competitor product information—banks incorporate external data to tailor their offerings to remain competitive and adapt to market fluctuations.
• Targeted campaigns: By analyzing this vast data, marketing departments can create highly targeted campaigns, recommend personalized products, and drive customer acquisition and retention. Imagine a young professional receiving a notification about a student loan repayment tool shortly after a sizeable education-related expense appears in their account. This level of personalization, fueled by data, is the cornerstone of modern marketing strategies.

While the marketing department sees an opportunity in data, the risk department views it as too big of a challenge, and their concerns about data privacy for many create analytic paralysis*.

*Analysis paralysis (or paralysis by analysis) describes a situation where an individual or group overanalyzes or overthinks a problem to the point that they cannot make a decision. This often happens when there is too much information to process or the fear of making a wrong decision is overwhelming.

The unintended consequences of GDPR

GDPR provides the necessary protection of people’s privacy. However, scammers have found ways to exploit it to their advantage.

Despite their privacy policies giving risk departments all the provisions for legitimate interest and gaining customer consent, the broad language of GDPR leaves room for interpretation. This creates uncertainty, potentially resulting in risk-averse approaches that hamper robust fraud prevention efforts that could stop even the most challenging fraud cases. For example, Authorised Push Payment (APP) fraud with inter-banking live data sharing, such as the Group-IB Cyber Fraud Intelligence Platform, is already providing results to regulators in other parts of the world by using its advanced AI to fight fraud.

Time for change

GDPR is an essential tool for digital privacy. However, the lack of clarity is an open invitation for fraudsters to exploit its ambiguities. The upcoming GDPR revision presents a unique opportunity to address these unintended consequences. Detailed guidance, illustrative cases, and sector-specific examples will empower banks to combat fraud confidently. The alternative is to allow GDPR to remain a shield for criminals. Ambiguous or restrictive regulations could inadvertently allow criminals to exploit vulnerabilities, keeping consumers at risk. Therefore, it is expected that the regulations will be more precise to enable risk managers to finally use the entire arsenal that modern fraud protection solutions have put at their disposal today.