Regulatory Requirements for Fraud Prevention – Your Questions Answered

Fraud prevention requires data. But data is increasingly protected by regulations.

How does it work, and what should you check before deploying an anti-fraud solution? All your questions are answered here.

Is Fraud Prevention a Legal Requirement?

For most online businesses, fraud prevention is part of their risk management strategy rather than a legal requirement. Companies tend to only think about fraud losses after they’re already operational and then deploy anti-fraud solutions to solve the problem.

There are, however, regulatory requirements designed to reduce fraud. You may have to meet those requirements depending on the sector you operate in. 

If you are a payment provider, for instance, you will be asked to meet regulations such as PSD2’s Strong Customer Authentication requirements, deployed with the goal of reducing payment fraud.

When it comes to identity theft, a growing number of industries must ensure that they can verify customers’ identities to meet KYC verification requirements. 

While, initially, only financial institutions needed to meet KYC and AML requirements, these days, you may also have to be compliant if you are a BNPL, iGaming operator, travel agency, real estate company, or other industry considered volatile.

A great way to learn if you should deploy anti-fraud measures is to go over our fraud risk assessment checklist here. 

Can Fraud Prevention Help With Regulatory Compliance Requirements?

Yes. Fraud prevention solutions are designed to help you learn more about your users and customers and their behavior. This is a key part of what some regulators require when it comes to identity verification, authentication, and demonstrating a risk-based approach.

 For instance, a fraud detection system can help with the following:

• KYC: Know Your Customer is one of the most evident ways in which a fraud prevention system can help you meet compliance requirements. By verifying user identities, you can block fraudulent profiles, which improves both your security and compliance.
  
• PSD2: Payment verification is increasingly important for online businesses, especially to comply with PSD2’s Strong Customer Authentication requirements. A form of identification is required at the payment stage. However, having a fraud detection solution in place prior to the transaction can actually exempt you from this rule – effectively reducing friction for shoppers and making their experience more enjoyable.
  
• Safer gambling: A compliance requirement for iGaming operators in the UK. The goal is to protect players by allowing them to exclude themselves from casinos and betting platforms. Enforcing this self-exclusion is much easier if you can verify their identities.
  
• Age restrictions: Some fraud prevention systems can help your company ensure that users aren’t lying about their age – which could land you in legal hot waters. This can be done through ID document verification or through alternative means, depending on legislation.
  
• AML: The link between anti-money laundering, identity verification, and fraud prevention can be bridged with the right software.

What Is the Connection Between Anti-Fraud and AML Compliance?

AML verification, which overlaps with other local requirements, such as the US’s Bank Secrecy Act (BSA) or Counter Financial Terrorism (CTF) measures, is a legal requirement that does not necessarily call for fraud prevention solutions. 

However, it does require forms of identity verification and AML transaction monitoring, which some fraud prevention software can help with – since they already gather the data for KYC or to combat payment fraud.

In fact, because they are adjacent pain points, some fraud prevention companies, including SEON, also have AML-specific modules and solutions.

Ensuring that you do not help money being laundered is an increasingly stringent process, verified by a number of regulators around the world. 

It’s also crucial to note that regulatory compliance is ever-evolving.

For instance, while the Financial Action Task Force (FATF) only used to recommend the implementation of a risk-based AML approach for banks and financial institutions, it now also targets companies such as BNPL or luxury retailers.

What Kind of Legal Requirements Must Fraud Prevention Vendors Comply With?

The short answer is that it depends. Drafting a contract with a fraud prevention vendor varies from one industry to the next and even from one country to another. What is certain, however, is that most of the legal grounds will cover data protection. 

A fraud prevention solution needs your business data to work.

This may become a compliance issue if the data isn’t handled properly or if you do not explain how user data is shared in your privacy policy.

There are two key terms to understand in relation to data legislation, as defined in the GDPR but used beyond the EU as well:

• Data controller: In this case, this is your company. You control the user data.
  
• Data processor: Here, this is the fraud prevention vendor. In the context of fighting fraud, processing data means obtaining, holding, or recording data. It also covers operations such as disclosure, retrieval, consultation, organization, or erasure of data.

Ensuring both your users and their data are protected is paramount when dealing with fraud prevention vendors.

How Can I Ensure My Fraud Prevention Is Compliant?

The amount of data shared with the fraud prevention vendor as well as the way in which it is shared must comply with local data protection principles.

Therefore, the data processor’s privacy policy should cover the following:

• the legal basis for why the data is used
• the data retention period
• how it handles data deletion requests
• where the data servers are located, and under which jurisdiction this falls

Aside from consulting the fraud prevention vendor’s privacy policy, it’s also a good idea to look out for compliance certificates (see below).

Is Fraud Prevention Legal Under the GDPR?

Yes, fraud prevention is legal under the EU’s General Data Protection Regulation (GDPR) as well as, by extension, the UK GDPR. Recital 47 in the regulation states:

“The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”

It’s also important to note how the GDPR defines personal data, as found in Article 4 (1): 

“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Some fraud prevention vendors go the extra mile by letting you delete data upon request. At SEON, you can do so easily with our Erase API, which is key when dealing with EU-based customers.

What Kind of Compliance Certificates Should Fraud Prevention Vendors Have?

When it comes to compliance certificates, the number of acronyms can be overwhelming. These include SOC 2, ISO 27001 and more. Here are a few you could look out for:

• SOC 2: The gold standard when it comes to compliance for service organizations. It was developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data confidentiality, integrity, security, and availability.
  
• ISO/IEC 27001: A standard for information security management designed to show that companies rely on the proper framework, operations, and processes with regard to data management.
  
• NIST 80053: A NIST certification from the National Institute of Standards and Technology overlaps with the ISO 27001 certification but with the added benefit of aligning with the Federal Info Security Management Act.
  
• FedRAMP: The Federal Risk and Authorization Management Program is an assessment process created by US federal agencies to ensure sufficient security is in place when accessing cloud-hosted services or software. 

iGaming companies should also look for licensed solutions – for instance, with The Service Industry Licensing Bureau (SILB).

How SEON Can Help Meet Regulatory Requirements

SEON is designed to turn your customer data into a treasure trove of information via data enrichment, which pulls a customer’s digital footprint without asking them for it. As a result, the data is real-time, actionable and much more difficult to falsify.

We also offer a specific AML module, which is designed to enhance anti-money laundering compliance with the data you already have.

A single email address, phone number, or IP address can help you tell the difference between high-risk customers and valuable users. This is ideal for PSD2 (soon to be PSD3) and to help streamline KYC compliance.

Importantly, SEON is:

• GDPR compliant
• SOC 2 certified
• ISO 27001 certified

You can read more information in our privacy policy, designed to give you complete peace of mind when it comes to data processing and compliance.