Data for Social Good: Using Credit Card Transaction Data to Mitigate or Prevent Catastrophic Events like Mass Shootings
Omar Marteen, the shooter at Pulse Nightclub and who massacred twenty-five individuals, was able to take out six lines of credit [across a roughly four-month period], including with a Mastercard, American Express card and three Visa cards to purchase the five firearms he used to carry out such a vile act. Because not all states require mandatory background or credit checks before the purchase of a firearm and financial institutions do not share information that could potentially put them “on the hook” with authorities, a major impasse exists in blocking mass shooters from obtaining lines of credit. Moreover, government regulations and laws have been extremely slow to leverage new technology to assist with the detection and enforcement of wrongdoing. Specifically, while the United States has many laws around the purchase and sale of firearms, many of these laws remain on the books only and are largely going unenforced. In this paper, I will examine how the United States can better enforce laws we have on the books, including those around firearm sale and purchase, with data available from banks and financial institutions. I discuss some of the benchmarks or thresholds that will need to be met (according to current federal and state firearm laws) to trigger “red flag” warnings to authorities to properly investigate. It’s also important to analyze existing legislation around financial data, like the Gramm-Leach-Bliley Act of 1999, to ensure consumer data privacy. I propose that the United States partner with a governmental third-party to assist in the follow up of “red flag” (or high risk) gun purchase transactions raised by financial institutions and banks, much like how Facebook and the National Center for Missing Exploited Children (NCMEC) collaborate. It’s clear from the meteoric rise in mass shootings over the past decade in the United States that government laws and regulations are not being properly enforced. By using existing legislation around firearm purchase and sale, technological capabilities that banks and financial institutions have to track purchases and sales, and encouraging new partnerships between financial institutions and the government, the United States can better identify high-risk individuals prior to shootings.
Thresholds and Benchmarks to Trigger “Red Flags” by Financial Institutions
Federal law does not limit the number of guns a person may buy in any given period of time. However, federal law does require federal firearm licensees (FFLs) to report multiple sales of handguns to the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) and other specified law enforcement agencies. Federal law defines a “multiple sale” as the sale of two or more guns to the same purchaser within five business days. The ATF explicitly states, “Multiple firearm sales are a significant indicator of firearms trafficking, and firearms sold in such sales are frequently recovered at crime scenes.” The Giffords Center cites, “Handguns sold in multiple sales were up to 64% more likely to be used in crime than handguns sold individually.” Because federal law doesn’t allow firearm dealers to maintain a central repository of firearm sales across the United States, research has found, that mass shooters simply evade this law buy firearms and ammunition in bulk and with around 5 days apart in purchases.
Why are firearm dealers not allowed to maintain a central repository of firearm sales across the United States? Under the Gun Control Act of 1968, licensed dealers are required to record certain information about a buyer (name, address, etc.) and the gun’s serial number at the point of sale. When a gun is recovered from a crime scene, local law enforcement agencies can request The Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) to trace the firearm’s origins. The retrieved information is compiled into a crime gun trace database maintained by the ATF. However, in the early 2000s, the database became a political talking point, as the Washington Post detailed in a 2010 article entitled, “Industry Pressure Hides Gun Traces, Protects Dealers from Public Scrutiny.” Investigations tying seized guns to a small handful of dealers spurred the federal government to impose tougher sanctions and inspections on gun retailers and manufacturers. But these sanctions backfired with the passing of the Tiahrt Amendments in 2003.
Since 2003, the Tiahrt Amendments, so named after the former Kansas Republican congressman who introduced the measures, have largely hidden the database maintained by the ATF from the public. Prior to 2010, local police could “access the database only to investigate an individual crime but not to look for signs of broader criminal activity” (for example, finding additional gang members involved if gang-related). The database operated with a “reasonable expectation of privacy” and kept within the scope of privacy protections laid out in the Fourth Amendment. Despite the relaxing of some restrictions, parts of the original Tiahrt Amendment remain in place. For example, the ATF cannot require gun dealers to conduct an inventory to account for lost or stolen guns; records of customer background checks must be destroyed within 24 hours if they are clean enough to allow the sale; trace data cannot be used in state civil lawsuits or in an effort to suspend or revoke a gun dealer’s license. While the Tiahrt Amendments do not appear to be going away anytime soon, there are some federal laws that can be used to better identify potential mass shooters in addition to the transaction-level data collected by consumer banks or financial institutions.
Federal law requires licensed firearms dealers to maintain records of gun sales for at least 20 years, including information about the firearm(s) being purchased, as well as the purchaser. Many articles and investigations have concluded that this individual-level transaction data is available to most financial institutions. These investigations cite financial institutions’ need to internally flag “high risk” and potentially fraudulent purchases (for the simple reason that they tend to have much higher default risk attached as well).  Several payment processing systems, including PayPal, Square, and Apple Pay, already have established rules (including banned websites, stores, etc.) that ban the sale of guns and gun-related items using their systems. “We do not believe permitting the sale of firearms on our platform is consistent with our values or in the best interests of our customers,” Square said in a statement in 2013.
It’s important to note that payment processing companies work very differently than companies that actually issue credit cards. Payment processors typically have a more direct relationship with the businesses they process payments for. The processor typically agrees on an individual basis, to process payments for a merchant and not to approve or reject individual purchases on a card. If the smaller players can afford to simply shut out the sales of guns and gun-related items, major financial institutions like JPMorgan Chase, Wells Fargo, and Bank of America can do a better job of using transactions already at their disposal to flag “high risk,” and potentially, illegal purchases of firearms (keeping within the above-mentioned laws on firearm limits, waiting periods, etc.). If these very large incumbent financial institutions aligned to limit the purchase of firearms, it would have a large downstream effect on firearm sellers who rely on these banks to conduct daily business, including stricter adherence to laws and regulations. If adopted, it’s also possible that such incumbent firms could benefit from lower credit default rates (due to the “high risk” nature of these purchases) and increased customer retention (shooters are more likely to be incarcerated or dead following a mass shooting), key metrics by which these firms gauge intra-industry success.
Framing the Problem
There were more mass shootings across the U.S. in 2019 than there were days in the year, according to a gun violence research group. 2019 had the highest number of mass shootings in any year since the research group started keeping track. By the end of 2019, there were 417 mass shootings in the U.S., according to data from the nonprofit Gun Violence Archive (GVA), which tracks every mass shooting in the country. GVA defines a mass shooting as any incident in which at least four people are shot, excluding the shooter. There have been 13 shootings that killed 10 or more people in the last decade, and in at least eight of them, the killers financed their attacks using credit cards. Some used credit to acquire firearms they could not otherwise have afforded (either with cash funds or value-backed collateral).
Financial institutions have been collecting purchase or transaction data for a long time. Most of this data and associated metadata (including location of purchase, item(s) purchased, time of purchase, etc.) have been routinely used by firms like American Express, Visa, Chase, and MasterCard to calibrate their internal algorithms to capture a better picture of the individual customer and detect fraud. This data-backed “picture” can then be used to recommend certain products and services to the individual based on previous purchasing history, economic, and social background. Today, however, most of this customer data remains trapped in data silos for reasons including ambiguous data privacy laws and fears of financial institutions “being on the hook” for criminal wrongdoing if they assume responsibility for alerting authorities. In the next section, I will focus on one regulation, in particular, the Gramm-Leach-Bliley Act of 1999, and highlight some of these data privacy issues. It’s important to note that while the GLBA is federal law, states are allowed to formulate their own laws that provide additional protections to consumers and their data.
The Gramm-Leach-Bliley Act of 1999: Loopholes & Exceptions
The Gramm-Leach-Bliley Act of 1999 required financial institutions “offering consumers loan services, financial or investment advice, and/or insurance, to fully explain their information-sharing practices to their customers.” First, the GLBA, under its “Financial Privacy Rule,” unfairly places the burden on the individual to protect his/her data privacy with an “opt-out standard” (as opposed to an opt-in standard which involves the consumer willingly agreeing to allow other parties access to their data). By placing the burden on the customer to protect their data, GLBA inherently weakens customer power to control their financial information. This provision is based on the assumption that financial companies will share information unless expressly told not to by their customers and if customers neglect to respond, it gives institutions that freedom to disclose customer nonpublic personal information (NPI). This NPI data can include credit rating(s), previous background checks (including any criminal history), government-issued permits, social security numbers, and even previous medical history.
Second, the GLBA disclaimers and notices are confusing and limit the transparency of information practices. GLBA assumes a company will explain a complex set of legal definitions added to numerous exceptions to the law in clear, transparent language in a way that will allow for an informed consumer choice. Moreover, according to recent studies, most privacy and opt-out policies are usually convoluted, confusing, and misleading since they are created by entities whose interests are better served when there is no effective notice. GLBA does little to deal with the lack of transparency in the privacy notices themselves. Furthermore, these privacy notices do not include any specific information about how the data is actually used. GLBA notices do inform consumers that their personal information will be shared, but they generally do not inform the individual of who will receive the information or the purposes for which it will be used. 
Third, the GLBA fails to enhance consumers’ control over affiliate information sharing (found in Section 2: Safeguards Rule). Consumers have no opt-out right against affiliate information sharing. In today’s world of mega-mergers, a bank may have over one thousand affiliates (including insurance companies), some of which may be completely unrelated to financial services. Fourth, financial institutions can evade opt-out requirements by exploiting the exceptions in the GLBA. The “service provider/joint marketing exemption” allows financial institutions to share information with non-affiliated third parties despite a consumer’s opt-out. Finally, the GLBA has weak enforcement and compensation mechanisms. Enforcement rests solely with federal government agencies, leaving the individual “no private right of action.” Although the GLBA was ostensibly meant to provide protection to consumers and their data, it has created a dizzying array of nuanced loopholes and exceptions. There’s a missed opportunity here to provide protection to consumers by sharing “high risk” behavior (described above) with a third-party investigative body whose job it is to investigate money laundering crimes and possibly prevent would-be mass shooters from obtaining credit. Put simply, the banks have the information required to raise “red flags” on “high risk” purchases and they frequently share this information with “affiliates” (largely avoiding consumer opt-in). Why can’t we reimagine a new system that harnesses some of these loopholes and exceptions for the social good and while keeping the actual data (including the aggregation and analysis of such data) within the control of the banks?
Exploring a Partnership Model (Exhibit 1)
The partnerships that exist between many of the United States’ Internet Service Providers (ISP), as well as individual websites like Facebook, and the National Center for Missing and Exploited Children (NCMEC) offer examples of how a third-party organization has come together to aid law enforcement investigations that are hard to scale and carry out in increasingly digital environments. In this particular partnership, the NCMEC mitigates and prevents the dissemination of child pornography while working closely with law enforcement. Internet Service Providers are required to share “limited information” with the NCMEC. This partnership stipulates that “only information related to the identity of any individual who appears to have violated a Federal law [laws described in a separate section], which may include the electronic email, Internet Protocol (IP) address, and other information, including self-reported identifying information.”  The threshold for the federal laws regarding child pornography largely involves the viewing, accessing, or disseminating of child pornography. Given the nature of such offenses, it makes sense that the benchmarks and thresholds are purposely low.
In the case of Facebook, the NCMEC has a unique, voluntary relationship that exists to help follow up on some twelve million reports of child pornography (most originating from Facebook’s private messaging application and not from private posts, etc.). Most of these reports occur through automatic detection through Facebook’s proprietary image recognition software that checks all uploaded photos against a database of previously verified sexual abuse imagery. Accounts that are found to have transferred illegal images are immediately deleted and all data associated with the account is reported to the NCMEC (including metadata). Many aspects of this unique data-sharing partnership model can be used in the case of financial institutions and preventing would-be mass shooters from obtaining firearms.
I propose that financial institutions and banks take a page from the relationship that exists between Facebook and the NCMEC. Banks, much like Facebook, have their own proprietary software, that helps track potentially “high risk” and fraudulent payments. Additionally, third parties also exist in the financial services sector to monitor potentially criminal behavior. For example, FinCEN, the Financial Crimes Enforcement Network, a bureau of the U.S. Treasury Department, exists to assist in the follow up of cases deemed to potentially involve terrorist (both domestic and international) payment activity. FinCEN works in partnership with both the financial community and with law enforcement to combat money laundering. It should be noted that, in this proposed solution, banks and financial institutions maintain control over their customer and associated payment data and metadata. Leaving the data aggregation and analysis to financial institutions allows for them to use their proprietary software, like in the case of Facebook, to sift through data silos and networks and removes the burden and onus on the third party to conduct time-consuming and costly data aggregation and analysis.
Financial institutions will maintain complete control over their data troves, almost completely removing infractions that might exist should the United States adopt regulation like the General Data Protection Regulation (GDPR). This is important because the American Civil Liberties Union (ACLU) has argued that the collection and analysis of such data infringe upon civil liberties protected in the First Amendment. By adopting a partnership model for cooperation and cross-sharing of customer-related transaction data, no outside third-party will be in charge of the monitoring or detecting processes; instead, financial institutions will aggregate and analyze the personally identifiable (PII) and NPI data. A third party, like FinCEN, would conduct the investigations into such matters in combination with appropriate law enforcement (Exhibit 1). The financial services industry is comparatively one of the most heavily regulated industries in the United States. Additionally, banks have adopted their own safety procedures and risk-mitigation techniques (like combinations of on-premise and cloud data centers) to provide consumers with some of the most enhanced data protection in the world. While this is merely a proposed solution, it offers a new and creative approach to use consumer data for social good while keeping within the bounds of laws like the Gramm-Leach-Bliley Act of 1999.
Data privacy, security, and integrity are all of paramount importance in today’s data-driven world. However, it is possible to reimagine new solutions to pressing societal concerns, like the rise in mass shootings over the past decade, while safeguarding individuals’ and groups’ sensitive data (PII, NPI, etc.). Because the majority of firearms in the United States are purchased with the assistance of credit cards, it is beneficial to look at the role of financial institutions and banks play in assisting would-be mass shooters in obtaining firearms. This will require financial institutions and banks to work alongside each other and potentially third-party partners in the reporting of “red flag” or high-risk purchases or transactions. Adopting a partnership model, like the one that exists between sites like Facebook and the NCMEC, offers a possible solution that quells First Amendment and civil liberty concerns around data privacy and security. Even government laws and regulations, like the Gramm-Leach-Bliley Act of 1999, that are meant to safeguard consumer financial data do a poor job in ensuring privacy. While keeping within the limits of the Gramm-Leach-Bliley Act 1999, banks and financial institutions can share these “high risk” transactions they have uncovered with a governmental, third-party like FinCEN without breaching consumer data privacy regulation and provide for social good, including mitigating or preventing mass shooters from obtaining credit.