(A prior version of this article was published in ABA Risk and Compliance, November/December 2025)
Banks are expanding the use of geospatial data, also commonly referred to as geolocation data. Geolocation data is rapidly becoming a strategic tool for managing risk, targeting marketing efforts, and personalizing the customer experience. However, along with its benefits, geolocation data brings a complex landscape of regulatory and customer preference risks.
Understanding geolocation data
Geolocation (or geospatial) data captures information about a customer’s location and can be gathered from a wide range of digital and traditional sources. Beyond simply identifying where someone is, geolocation data enables several targeted strategies in risk management, marketing, and service delivery. The following terms explain common uses:
Geotargeting — Using location data to tailor content, risk controls, marketing offers, or services to a customer’s specific location.
Geofencing — Creating a virtual boundary around an area that triggers actions when a user enters or exits that perimeter.
Geoconquesting — A form of geofencing that places a virtual boundary around a competitor’s location to influence customers nearby.
Geoframing (also known as georetargeting) — Leveraging geofencing data to target audiences after they have left a specific area, often combined with other data points for a more complete customer profile.
Geolocation uses in banking
Banks use geolocation alone or in combination with other information to support a wide range of services and processes, including real-time fraud alerts, customized product offerings, and directing banking app users to the nearest branch or ATM. Geolocation, geotargeting, and geofencing all have uses in financial crime prevention, marketing and personalization, customer experience, operations, and compliance. In some cases, geolocation may also have benefits in credit risk management and financial inclusion.
Financial crimes risk management
Some of the most common strategic uses of geolocation are in financial crimes risk management. Location data is a crucial factor in customer authentication. In this use case, an unusual location may prompt additional authentication steps to help safeguard customer accounts.
Transaction monitoring also utilizes geolocation data. A credit or debit card transaction in a location outside of the customer’s historical spending patterns may trigger an alert. Similarly, contemporaneous transactions in widely disparate locations can be an indicator of card theft, cloning, or transaction fraud. For example, a customer appearing to have transactions in Atlanta, Seattle, and New York within a brief span may have a lost or stolen card or card number. Transaction location data can provide earlier warnings of potentially fraudulent activity.
Other financial crimes use cases include monitoring transactions for activity that is subject to Office of Foreign Assets Control (OFAC) sanctions, detecting cross-border or out-of-market transactions, and identifying suspicious patterns of deposits and withdrawals. Banks can block app or card access in sanctioned geographies. Additionally, banks may implement additional monitoring or enhanced customer due diligence for accounts with suspicious transaction patterns in geographies designated by the Financial Crimes Enforcement Network (FinCEN) as High Intensity Money Laundering and Related Financial Crimes Areas (HIFCAs).
Marketing, personalization, and customer experience
Both banking and other industries commonly utilize geolocation for marketing and personalization. Location data enables the creation of tightly targeted local promotions and even branch-specific campaigns, with distribution triggered by a geofence or a pattern of transactions within a branch. Credit card lenders may push promotional or rewards offers through web browsers or mobile apps when users cross geofences around retail partners. Mortgage lenders may generate offers if a customer passes through a geofence around a new housing development.
Using geoconquesting, a bank may assess whether its customers are also banking with competitors or generate advertisements for deposit or credit accounts to distribute to competitors’ customers. Banks may also use geoconquesting to develop brand recognition advertising, ensuring your bank remains top of mind when consumers seek a new financial institution. A third use of geoconquesting is competitor benchmarking, which identifies volumes of customers actively visiting competing financial institutions.
However, one drawback to using geofencing or geoconquesting is that customers typically are not thinking about banking when they are busy running errands. With the use of geoframing, marketers utilize location data captured during a consumer’s active period to push advertising or offers to those consumers at a later time when the consumer is more likely to engage. With geoframing, offers can combine location triggers with other customer information to create personalized offers at times when consumers are more likely to be interested in banking.
For example, a mortgage lender can deliver an offer triggered by a consumer visiting a new housing development during work hours. A bank using geotargeting should test different time slots for advertising delivery to maximize results.
Advertisers can use geoframing to multiply the impact of sponsorship spending. Consider a bank-sponsored community event. The bank can utilize a geofence to enhance name recognition or direct visitors to the bank’s booth at events with a physical presence. Later, the bank can use geoframing to send additional offers to attendees or booth visitors.
Geolocation can also be used to improve customer experience with your institution. If you have ever used a banking app to find the nearest branch or ATM, you have benefitted from geolocation enhancements.
Some financial institutions also use geofencing combined with cookies, device fingerprints, or other technologies to identify existing customers when they enter a branch. This can help frontline staff offer personalized greetings or automatically place customers in queues for assistance.
Financial inclusion and outreach
Banks can also utilize geolocation to help identify areas with high usage of non-bank financial services. Geotargeting residents of those areas with offers for financial literacy workshops, low- or no-fee deposit accounts, microfinance loans, or homebuyer education classes can boost performance under the Community Reinvestment Act. Additionally, when branches, ATMs, or loan production offices are near low- or moderate-income (LMI) communities, geofencing in combination with other data can provide evidence that the location is serving LMI neighborhoods and households.
Internal operations
Banks’ use of geolocation data is not limited to customer-facing applications. It also has several operational and planning use cases. Banks can use location data for proof of presence in authorized work locations or as a component of access control. Employers may use such data in incident response and fraud investigations. In emergencies or disaster responses, banks can use geolocation to prioritize employee alerts, along with outreach to affected customers.
Banks also use location data in risk monitoring. Robust collateral assessment processes may include geolocation assessments to identify flood, earthquake, and wildfire risks as additional risk factors beyond Special Flood Hazard Areas (SFHA). Distance to infrastructure, as determined by geolocation, may be considered in project viability assessments. In addition to the behavioral monitoring used in financial crimes risk management, frequent border crossings may indicate higher risks in loans that are unsecured or secured by mobile collateral.
Banks may also utilize location data to facilitate compliance with state laws. For example, when opening a mobile or digital account, banks may use geolocation information, such as IP address location, GPS coordinates, and zip code, to present state-specific disclosures, trigger state-specific tax reporting, or restrict access to products that are not compliant with the laws of the customer’s state.
Compliance considerations
Although geolocation can be helpful in banking strategy, operations, and risk management, its use also brings risks, especially concerning privacy, data security, fair lending, and unfair, deceptive, or abusive acts and practices (UDAAPs). In some ways, these risks are interlocking, as they arise from the same root concerns regarding privacy, transparency, and access.
Privacy
The Gramm-Leach-Bliley Act’s (GLBA) implementing regulation, Regulation P, defines nonpublic personal information (NPI) broadly as:
Personally identifiable financial information; and Any list, description, or other grouping of consumers (and publicly identifiable information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.[i]
It further defines personally identifiable financial information as any information:
- A consumer provides to you to obtain a financial product or service from you;
- About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
- You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.[ii]
Geolocation information from banking transactions, applications for credit or deposit accounts, debit or credit card activity, or banking app usage is NPI for the purposes of GLBA. Additionally, any offers curated and pushed to customers based on geolocation data must comply with the requirements of the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) and the Telephone Consumer Protection Act (TCPA), where applicable.
Depending on the location of the bank’s customers, additional privacy laws may apply. Although the definition of “precise geolocation information” varies by state, several states have determined that precise geolocation information is sensitive personal information subject to state privacy laws. These states include California,[iii] Colorado,[iv] Connecticut,[v] Oregon,[vi] Texas,[vii] Utah,[viii] and Virginia,[ix] with additional states considering privacy bills. For banks with European customers, the provisions of the General Data Protection Regulation (GDPR)[x] may apply.
Fair lending
When evaluating geolocation usage, banks must remember fair lending considerations. In fair lending, the use of location carries redlining risks, especially when the geographies are smaller than a metropolitan statistical area (MSA). If your bank’s use of geolocation data results in fewer or less favorable offers in minority neighborhoods, there is increased fair lending risk.[xi] This is particularly true if the marketing gap persists when considering all forms of marketing and advertising, not just credit offers based on geolocation.
Similarly, branch or services optimization resulting in lower service levels or branch closures in minority areas increases fair lending risks.[xii] Basing access restrictions on geofencing or geotargeting in a manner correlated with areas of substantial minority population or membership in prohibited basis groups increases fair lending risk.[xiii]
Behavioral profiling based on geolocation could increase fair lending risk if the modeled behavior correlates with membership in a prohibited basis group. There is also a risk of disparate impact if members of a prohibited basis group are less likely to engage in the rewarded behavior. For example, if the bank makes the best credit offers to mobile banking app users, the bank may inadvertently exclude older customers.
Additionally, the bank must provide consumers with accurate reasons for denial when the lender rejects requests for credit products based on geolocation.
Unfair, deceptive, or abusive acts and practices
A lack of transparency can lead to allegations of unfair, deceptive, or abusive acts and practices (UDAAPs) when using geolocation data. Banks should clearly disclose their practices for tracking, collecting, and using geolocation data. As with other NPI covered by Regulation P, banks must provide a method for consumers to opt out of disclosure to most nonaffiliated third parties.[xiv]
There is potential for UDAAPs in location-based marketing. First, banks should take care that geolocation-based offers, or the lack thereof, are not excessively correlated with consumer vulnerability. Steering vulnerable consumers to less favorable products could be seen as a UDAAP. Second, if using geoconquesting, banks should ensure their advertising is not deceptive and does not create consumer confusion regarding which institution is offering products or services.
Operational inefficiencies can be another source of UDAAP allegations. Financial institutions should ensure that location-based offers, like other promotional offers, are available as advertised and that their operational delivery is efficient and accurate.
Finally, banks must be aware that the use of geolocation data in behavioral profiling can increase UDAAP risk in several ways. First, the customer has limited alternatives because it is not easy for consumers to change their place of residence or workplace. Second, consumers may be unaware that their locations affect product eligibility or price. Third, many consumers may be unaware that banks use passive location tracking in delivering banking products and services. When profiling includes factors that consumers cannot change or involves limited consumer awareness, and offers few alternatives, UDAAP risk increases.
Emerging risks
As the use of geolocation grows, fraudsters and privacy-minded individuals are developing ways to fake or block geolocation data. There are several methods in use, including mobile apps that falsify GPS locations, signal spoofing hardware that sends phony GPS signals to nearby devices, virtual phones and emulators that allow users to select their apparent locations, and VPNs or proxy servers that can hide or change one’s apparent location. Users may use a Tor browser to mask their locations. Some users may jailbreak or root their mobile devices or tamper with apps to change their location settings at the device or app level. There are also AI-enabled spoofing methods that emulate regular human movements, such as walking or driving.
Another emerging risk is accuracy of location data. When using geocoding or geolocation data in risk management, users must remain aware the locations may be imprecise or contain errors. Typically, geocodes are most likely to contain errors when there are multiple properties on a parcel, a property is located in a rural area, or the loan is for new construction projects.[xv] Additionally, when a location is on the border between two census tracts, the likelihood of a geocoding error increases. And in some cases, such as SFHA determination or HMDA and CRA data submission, accurate location data is critical.
Risk management
To manage the risks associated with the use of geolocation, banks should establish appropriate governance and oversight, including involvement of legal and compliance teams. Governance measures include an overarching policy governing the collection and usage of geolocation data, an inventory of all location-aware systems, and location-based filters. Some institutions have established a use case inventory with risk-based requirements for approval, monitoring, and testing.
A best practice for geolocation data usage is a privacy-first design. Informing consumers about the location data collected and how it is protected and used can increase transparency and trust. Emphasizing the use of geolocation data to secure customer accounts and guard against financial crimes is critical. Privacy disclosures must accurately reflect data practices and provide opt-outs where required by law or regulation. Allowing customers to opt out of location-aware marketing or location sharing can increase customer trust. Internally, policies and procedures should establish limits for data retention and usage. When appropriate, banks should anonymize geolocation data for analytical purposes.
To manage consumer protection risks, banks should consider testing the impact of geography-based restrictions on fair lending performance, including the potential for redlining or other disparities in access to products and services on a prohibited basis. Banks should review credit and marketing models using location data through a fair lending lens. Complaint monitoring can help identify customer pain points related to offer fulfillment and address consumer concerns regarding privacy.
To stay ahead of fraudsters, financial crimes prevention and detection teams must remain aware of emerging technologies and implement countermeasures. For example, comparing GPS, Wi-Fi, cellular, and IP address locations may help detect location falsification. Anti-spoofing tools can help detect jailbreaking, rooting, and location emulators. Digital fingerprinting is useful in detecting cloning and spoofing. Behavioral or movement tracking, which detects how rapidly and far an apparent location moves, is another useful tool.
Finally, to manage risks associated with location accuracy, users of geocoding and geolocation data must be aware of the accuracy and precision of the location service or geocoding used. This may require using multiple location sources, as well as supplementing the geolocation data with satellite images or site visits when required to ensure appropriate and accurate location data is used.[xvi] This is especially true when the need for location precision is greater.
Conclusion
Geolocation applications are core tools in digital banking. Such tools are especially useful in preventing and detecting financial crimes, as well as in personalizing banking products and services. However, if used without appropriate governance, geolocation applications expose banks to regulatory risks, including those related to privacy, information security, fair lending, and UDAAP. Within a proper governance framework, geolocation enables banks to offer tailored, compliant, and inclusive services while combating financial crimes. However, users must remain aware of emerging risks and mitigation strategies related to the use of geolocation data.
Sample Use Cases
| Usage Type | Use Case | Helpful Supplemental Data |
| BSA/AML
|
AML/Sanctions geofencing | IP Autonomous System Number (ASN), OFAC Specially Designated Nationals and Blocked Persons (SDN List)and other sanctions list administered by OFAC. |
| BSA/AML | KYC/onboarding | IPASN, OFAC SDN, ID verification results |
| Compliance | Outreach and Inclusion monitoring | Branch and ATM usage data; LMI tract flags; CRA performance metrics; customer income flags |
| Compliance | State-law gating | State code tables, licensing registries, user physical address |
| Credit Risk | Regional credit risk overlays or policies | Local unemployment rates; economic indicators; disaster declarations |
| Credit Risk | Collateral risk scoring and insurance requirements | Parcel data; FEMA Special Flood Hazard zones; wildfire, mudslide, and earthquake indices; property and building attributes; site visits; satellite imagery |
| Customer Experience | Branch/ATM locators and wait times | Live queue data; hours of operation; service levels; map tiles; accessibility tags |
| Customer Experience | Travel-related reminders and services (auto travel detection for cards, fees, foreign exchange, transaction monitoring) | Flight/itinerary data (if not available in transaction data); historical travel patterns; |
| Fraud Prevention | Card transaction anomaly detection | Device fingerprint; IP information/reputation; merchant MCC; time zone; SIM country; transaction velocity |
| Marketing | Geofenced in-app offers near branches or marketing partners | Merchant beacons; CRM segment data; opt-in/out consent flags |
| Marketing | Location-based rewards or loyalty programs | Local event or merchant data; merchant categories; purchase data; consent flags |
| Security | System access controls/login risk scoring | Device information; VPN/TOR signals; biometrics; behavioral patterns; IP information |
| Security | Physical access control | Office/site lists; hours of operation; time of day; device information |
ABOUT THE AUTHOR
Lynn Woosley is a Managing Director with Asurity Advisors and a member of the Editorial Advisory Board for ABA Risk and Compliance magazine. Lynn has more than 30 years of risk management experience in both financial services and regulatory environments. She is an expert in consumer protection, including fair lending, fair servicing, community reinvestment, and UDAAP. Before joining Asurity Advisors, Lynn led the fair banking practice for an advisory firm. She has also held multiple leadership positions, including Senior Vice President and Fair and Responsible Banking Officer, within the Enterprise Risk Management division of a top 10 bank. Prior to joining the private sector, Lynn served as Senior Examiner and Fair Lending Advisory Economist at the Federal Reserve Bank of Atlanta. Reach her at lwoosley@asurity.com.
[i] 12 CFR 1016.3(p)
[ii] 12 CFR 1016.3(q)
[iii] California Consumer Privacy Act (California Civil Code §1 798.150(a)(1) and California Privacy Rights Act (California Civil Code § 1798.140(ae)(1), (2)
[iv] Colorado Privacy Act (Colorado Revised Statutes, § 6-1-1303(17.4))
[v] Connecticut Data Privacy Act (Connecticut General Statute § 42-466(19))
[vi] Oregon Consumer Privacy Act (Oregon Revised Statutes, § 646A.572 and §646A.578)
[vii] Texas Data Privacy and Security Act (Texas Business & Commerce Code § 541.001(21))
[viii] Utah Consumer Privacy Act (Utah Code § 13-61-101)
[ix] Virginia Consumer Data Protection Act (Virginia Code § 59.1-571)
[x] General Data Protection Regulation 2016-679 (OJL 119, 4.5.2016, pp.1-88)
[xi] Indicators of potential disparate treatment in Marketing https://www.federalreserve.gov/boarddocs/caletters/2009/0906/09-06_attachment.pdf
[xii] Indicators of potential discriminatory Redlining https://www.federalreserve.gov/boarddocs/caletters/2009/0906/09-06_attachment.pdf
[xiii] https://www.consumerfinance.gov/about-us/newsroom/cfpb-targets-unfair-discrimination-in-consumer-finance/
[xiv] Subject to the exceptions in 12 CFR §§ 1016.13, 1016.14, and 10169.15.
[xv] https://blog.afrservices.com/get-a-peek-behind-the-curtain-on-flood-determinations
[xvi] https://blog.afrservices.com/flood-determinations-balancing-technology-and-human-expertise