Financial Service Apps Meet New Google SMS Compliance Mandates
Google Play updated their Personal Loan policy on April 3rd to restrict the use of sensitive information, including SMS content and call logs, which poses challenges for financial service apps in terms of loan applications and risk assessment. In this article, we'll delve into this new policy, explore its impact on financial service companies and discuss strategies to respond to such challenges promptly
May 21, 2024
8 minutes
Keqiang Xu, Yuqi Chen, Elaine Cheong
During their journey of digital transformation, financial institutions are grappling with unprecedented challenges in data acquisition. As these countries strengthen personal privacy laws and public awareness of data security grows, the traditional data collection and use practices of financial institutions are coming under intense scrutiny.
This issue is particularly acute in the credit sector. Credit companies traditionally depend on extensive customer data to evaluate credit risks, verify identities, and ensure transaction accuracy. Traditional method of assessing credit data involved reading SMS content on mobile phones. There’re significant contribution to this method — Utilizing SMS content for SMS cleaning, feature engineering and model development can provide a good foundation of user risk profile. Understanding lending and repayment records through SMS can also enrich data for decision-making. However, heightened consumer awareness about data security and new app store policy requirements are now compelling financial institutions to reevaluate their data strategies within the framework of the elevated security and privacy standards.
Google Play’s regulatory policies have made it difficult for financial institutions to access SMS permissions and related data compliantly and conveniently over the past year. The challenge is particularly severe in emerging countries where trustworthy credit data sources are already scarce.
Against this backdrop, we’ve been exploring how financial institutions can overcome these data acquisition challenges in the current regulatory climate. What strategies can be adopted to both obtain the necessary data and ensure its compliance and security without relying on app installation lists and SMS?
In this article, we’ll be sharing TrustDecision’s solutions, including compliant device ID collection, advanced device risk environment detection, and capabilities for identifying fake IDs and live attacks. These solutions can help credit and digital lending companies to enhance risk management while adhering to regulatory standards.
Latest Privacy Policy Updates on Google Play
App Permission Policies
Starting from October 25, 2023, Google Play has set forth a series of platform policy adjustments targeting app developers in the Financial Services category. Together with the criteria on Mobile Unwanted Software (MUwS), malware, privacy, deception and device abuse, Google Play has prohibited unauthorized access to device data including call logs, SMS, precise location, installed app lists.
Google Play Protection
Privilege escalation is an important signal in malware detection algorithm. It refers to a situation where an attacker gains unauthorized access to the privileges or access rights of a system that are normally reserved for higher-level users, such as administrators. In most of the cases, there will be corresponding detection during and after the app is listed at the store.
Some developers may employ a Web to App (W2A) approach to circumvent the app review process, but Google offers a safeguard known as Google Play Protect. This security service automatically scans all applications installed on a device, including those not downloaded from the Google Play Store, to identify any potentially harmful activities.
Real-time protections for non-Play installs
"Google Play Protect offers protection for apps that are installed from sources outside of Google Play. When a user tries to install an app, Play Protect conducts a real-time check of the app against known harmful or malicious samples that Google Play Protect has cataloged.. The app is also checked by on-device machine learning, similarity comparisons and other techniques to confirm if it's suspicious. If the app is identified as malicious or suspicious, we will warn users or block the installation in extreme cases.
Google Play Protect also offers new protections for emerging threats that were previously not scanned before. When Play Protect does not recognize any malicious code from the collected samples, it recommends a real-time code-level scan of the app to extract important signals for evaluation by Google. This helps combat novel malicious apps that may have been altered to avoid detection. If a user agrees to scan the app, they will upload the app data to Google for analysis. A short time later, Play Protect will let users know if the app appears safe to install or is potentially harmful." Read more here.
Designing Solutions That DON’T Rely on Sensitive Information
In contexts where credit data coverage and effectiveness are limited, mobile device profiling and retained personal data have become crucial for assessing customer credit risk and managing risk - analyzing repayment reminders and overdue notifications from financial institutions can provide insights into customers' credit records and repayment intentions. Additionally, the frequency and type of app usage can reveal insights into customers' interests and preferences.
With the strengthen regulations and growing customer concerns about privacy protection, financial institutions must explore alternative and innovative technologies for data acquisition and analysis. For instance, using device IDs to identify and track devices ensures personal privacy is not compromised. Also, by assessing the risk environment of devices, financial institutions can indirectly evaluate customer credit risks.
Specifically, financial institutions can implement several strategies based on the basic environmental parameters of the devices used in applications:
Device ID Technology: By collecting comprehensive data on the device’s hardware and software attributes, such as the operating system version, brand, and storage capacity, server-side algorithms can create a unique fingerprint for each device. This technology is essential for accurately tracking each device and restoring a full chain of user behavior in the application.
Device Environment Detection: Analyzing the network interfaces, system calls, and process behaviors on devices can help identify potential security threats early. This technology is vital for detecting any fraudulent tools or malware that may be running during the application process.
Device Blacklist and Whitelist Systems: By linking known fraud to identity elements and device IDs, high-risk device can be identified and flagged quicker. On the other hand, device with good records can be whitelisted. Using historical data, financial institutions can organize a blacklist and whitelist system to enhance efficiency of risk management.
IP Address Trace Analysis: Analyzing the user's IP address and comparing it with geographic location databases can reveal inconsistencies between the user's login location and claimed residence. This approach helps uncover potential fraud risks by highlighting discrepancies in user behavior patterns.
Network Traffic Analysis: Monitoring communication with known fraudulent servers or suspicious IP addresses can help identify unusual behavior patterns, such as non-typical communication times or frequencies. Machine learning algorithms are used to establish a baseline of user behavior, automatically flagging traffic patterns related to fraudulent activities, which aids credit decision-making processes.
Application Behavior Analysis: Examining users' clickstreams, page dwelling times, transaction frequencies, and biometric data collected through device sensors can uncover unique behaviors in application processes. This analysis is crucial for spotting deviations from normal patterns, such as frequent login attempts or unusual transaction behaviors.
TrustDecision‘s Global Risk Decisioning System
TrustDecision specializes in delivering advanced risk decision services. With a decade of experience in device fingerprinting, TrustDecision has accumulated substantial local device fingerprint data across the globe, especially in emerging markets such as Indonesia, the Philippines, Mexico, and Nigeria. This invaluable data, coupled with extensive expertise in fraud prevention within the credit sector, enables tailored and effective risk management solutions for each of our client.
As a foundational product serving key global markets, TrustDecision upholds the security and compliance of device fingerprints as the fundamental baseline and core value throughout our risk decision-making processes.
TrustDecision employs sophisticated data analytics to seamlessly merge device information with application behavior data, enabling thorough oversight and deep insights into the credit application process. Our aim is to meticulously reconstruct the entire application pathway with precision and stability, and to detect anomalies at each critical juncture through targeted feature analysis.
Business Feature Analysis
TrustDecision leverages machine learning and statistical analysis to perform detailed examinations of key behaviors during application processes, such as scrutinizing application frequency, speed of information input, and patterns of authentication interaction. This approach helps identify deviations that could signal fraudulent activity.
Anomaly Signaling
TrustDecision's decision-making system is adept at identifying real-time anomalies, such as frequent application attempts within a short timeframe, inconsistent device identifiers, or behaviors that deviate from established historical patterns, enabling proactive fraud detection and prevention.
Local Similarity Detection
Beyond analyzing individual applications, TrustDecision calculates similarities among multiple applications to identify potential group fraud activities. This method involves analyzing consistencies in devices and identities, as well as correlations in data, to effectively detect and mitigate collaborative fraud schemes.
Real-Time Monitoring and Alerts
TrustDecision's advanced risk control platform supports real-time monitoring and issues alerts when suspicious activities are detected. This prompt alert system allows for quick intervention by operational teams, efficiently reducing potential risks.
Compliance and Privacy Protection
TrustDecision strictly adheres to data protection regulations and privacy policies throughout all risk analysis operations. This ensures the security of data collection, transmission, encryption, and processing, maintaining a high level of privacy and security for user data.
Continuous Iteration and Optimization
TrustDecision is committed to continuously refining its decision algorithms and models. Adjustments are made to keep pace with changing fraud patterns and market conditions in various host countries, ensuring TrustDecision's services remain at the forefront of the industry.
By addressing fraudulent applications, enhancing identity verification capabilities, and implementing advanced credit management, TrustDecision empowers clients to expand into new markets fast and secure.
In a Nutshell
In the face of increasingly stringent data protection regulations, financial institutions are encountering unprecedented challenges in accessing data. TrustDecision has observed firsthand how these institutions have adeptly navigated these hurdles through innovative strategies that optimize their data acquisition and risk management processes.
Strategic Responses
Financial institutions are pivoting from traditional data sources to alternative data and advanced analytical techniques to maintain high-quality credit services. By employing tools like device fingerprinting, behavioral analysis, and network traffic monitoring, they manage to assess credit risks effectively without compromising user privacy.
Compliance as Priority
For financial institutions, compliance is not merely a legal requirement but a crucial factor in building customer trust. TrustDecision's solutions rigorously comply with international data protection laws, ensuring that financial institutions operate within regulatory frameworks while delivering their services.
Tech Innovation as a Catalyst
Technological advancements are vital for financial institutions to adapt to shifts in the market and stay competitive. By integrating cutting-edge data analytics and machine learning technologies, these institutions can pinpoint fraudulent activities more accurately and refine their credit decision processes.
Future Outlook
Looking ahead, we anticipate the credit sector will continue to evolve towards more intelligent and personalized direction. Financial institutions will increasingly focus on using technological means to enhance user experience while strengthening their risk management capabilities. Privacy protection and data security will become central considerations in product design.
As a leading provider of decisioning intelligence solution in the risk management space, TrustDecision is dedicated to pushing the envelope in technological innovation, offering precise and efficient tools for managing fraud, credit, and compliance risks to help our clients stay competitive in a volatile market. By developing risk management strategies that do not rely on restricted data access, we aim to foster sustainable business growth for all our clients.
