After reports that they sell their customers’ location data to questionable buyers, AT&T, Verizon and Sprint have vowed to stop selling location data to third-party data aggregators, whom they blame for sharing customers’ locations with bounty hunters and fraudsters.
Financial institutions have long relied on location data as a fraud signal. If a customer is in New York but her credit card is being used at a store in Los Angeles, it's a red flag for fraud. The biggest telecom carriers are the most reliable source of this data; they know where their customers are at all times, within a few hundred feet.
But it raises the question whether as telecom companies restrict access to such information whether that could impair banks' ability to catch fraud.
“It’s a sensitive topic right now,” said Abhi Ingle, senior vice president of digital, distribution and channel marketing at AT&T. “There are banks that have been customers of ours in the past who have been using location as part of their fraud management algorithms."
Evidence of abuse
News outlets started reporting on misuse of location data last year. In May 2018, The
In January,
In the wake of the bad publicity and at the urging of Sen. Ron Wyden, D-Ore., AT&T, Verizon and Sprint vowed to stop selling location data to aggregators.
“Operators have to be super careful about how we monetize that data,” said Serhad Doken, technology incubation and innovation executive at Verizon.
AT&T's Ingle puts the blame on aggregators. Whenever there’s an aggregator between carrier and bank, “you lose sight and custody of the location data and somebody else can use it for their own purposes,” he said.
“Let’s say I’m doing business with a reputable bank," Ingle said. "We’re both in regulated businesses with massive reputation risk; you would never knowingly do something that would compromise a customer’s privacy. The minute you put people in between, it causes problems. That’s why we committed to Congress that we would not sell any location data to aggregators.”
What about fraud?
Location data is not the only signal banks use to find fraud. Others include unusual transaction behavior and use of an unknown device to access an account. But location information is useful.
“Few data sets create as much assurance during a transaction as location data culled from cellphones,” said Sean Sposito, an analyst in the fraud and security practice at Javelin Strategy & Research. “These devices not only follow us around, but for many of us, they’re extensions of self.”
If that data is no longer available, then what? For one, banks can gather location data from customers’ devices through their mobile banking apps. The drawback to that approach is that they have to ask permission and customers can easily opt out.
“I tend to not allow apps on my browser or on my phone to access my location,” said Mario Dusaj, senior solutions architect at Callsign, a provider of behavior analytics and security threat analysis. “That makes it difficult for the banks to get this kind of information, because it is really in the hands of the end user.”
Also, people tend not to run their mobile banking apps all the time, because they don't want to drain their phone battery. This limits banks' visibility into customers' normal patterns of movement.
“AT&T was providing this helpful information from the back end so that banks can access it directly, rather than grabbing it from the device itself,” Dusaj said.
Al Pascual, senior vice president of research at Javelin, said that some carriers are establishing direct relationships with banks.
“My understanding is that AT&T in particular tends to license data with select customers,” Pascual said.
Banks that make such agreements with carriers will most likely do side-by-side testing of the existing location data feeds they’re receiving minus the AT&T data, versus the same feeds supplemented with separately purchased AT&T location data to see if it’s adding enough lift.
“If not, they may do without it,” Pascual said.
While large banks may be able to strike direct deals with telecom firms, it could be harder for community banks to do so.
“Time will tell,” Pascual said. “A number of the aggregators have other sources for location data and account status data, but the efficacy of those solutions without a direct feed from AT&T remains to be seen.”
Banks also may end up relying more on authentication mechanisms like behavioral biometrics and facial recognition to determine whether or not a transaction is fraudulent, rather than leaning on location data.
Many said it makes sense for the carriers to restrict access, however.
“AT&T is right to take a stand about who’s getting access to their customers’ data and how it’s being used,” Pascual said. “For far too long we’ve seen examples of aggregators who have done a poor job in vetting their clients or customers, or not had strong enough controls to their customers’ accounts. I can appreciate saying this is enough, these are our customers. It’s common sense.”
The new policy also saves AT&T from scrutiny of its data-handling practices and reduces reputational risk, Pascual noted.
Editor at Large Penny Crosman welcomes feedback at
