Fraud detection has long taken for granted that payment data can move freely across markets and borders until it can’t anymore. Centralised systems thrived on this freedom, connecting signals across regions to detect fraud at scale.
Merchants are caught between two unforgiving pressures. On the one hand, too much centralisation risks violating strict data residency rules, inviting trouble with regulators and fines, along with operational disruption. On the other, too much isolation starves fraud detection of the signals it depends on, leaving suspicious activity in blind spots.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
At first, it may seem like an impossible choice that needs to be made between compliance and visibility. What if it’s not?
For these seemingly irreconcilable dimensions to co-exist, merchants need to be at peace with the fact that localisation rules will continue to change and that new markets will introduce new constraints. But this starts to look less like an impediment when the goal is adaptability, not foresight.
What does localisation really have to do with fraud detection?
Long story short, fraud tools rely on aggregation, and patterns become clearer when transactions across regions can be analysed together. As localisation laws evolve and tighten, fraud detection is facing a reckoning: some fraud signals will need to stay local. Risk decisions may happen closer to the transaction rather than in a centralised system.
The motivations are quite straightforward.
Governments are driven by oversight and control; regulators need speed and access to act on risk; and consumers want privacy, transparency and confidence in how their data is handled.
Together, these pressures are reshaping how payment data can move, and that shift lands directly on merchants. They are expected to prevent fraud while respecting regional constraints, expand globally while keeping data local, and make fast, confident risk decisions with only part of the picture in hand. If this sounds stressful, you’re not wrong
The pressure is often felt first by merchants entering new markets. Local regulators often require that payment data stay within national borders, and merchants can’t sidestep these rules. They end up shouldering the impact of local regulations, ready or not.
Take India, for example. Payment data for domestic transactions is required to stay within the country. A merchant relying on a global fraud system suddenly finds that much of the data it depends on can’t leave the country. To comply, they may need to route payments through local providers, adjust fraud monitoring tools for local use, and reconcile insights manually, all while trying to maintain the same level of risk protection as before.
The making of the silos
What starts as a compliance decision can quickly rewire the entire payment setup. Each new provider in the stack adds another layer to manage, introducing operational complexity.
Routing becomes more complex, reporting starts to split across systems and even everyday operations like support and reconciliation become harder to manage.
Without something tying it all together, what we might call a coordination layer, localisation can slow expansion and increase cost. Expanding into a new market can feel like rebuilding the payment stack from scratch. Many merchants respond by creating market-specific configurations that satisfy local rules but reduce flexibility, causing a drift further from a unified system. Over time, fragmented systems solidify into silos that are hard to untangle later.
For fraud detection, this fragmentation is particularly dangerous. Patterns that would have been obvious in a centralised view now stay hidden locally. Analytics and automated tools may miss transpiring threats or spot them too late because insights are scattered and incomplete. Loose ends in reporting and routing mean that suspicious transactions can slip through gaps, leaving risk teams scrambling to reconcile mismatched data. Taking days for something that earlier took hours only negates the responsiveness that fraud detection relies on.
In effect, the structural tension between compliance, localisation, and operational complexity subverts the accuracy and speed of fraud response.
A distinction that cannot be overlooked
The ability to navigate evolving payment regulations and maintain effective fraud monitoring is anchored in a fundamental distinction between data residency and data sovereignty. Residency tells you where data must be stored, while sovereignty goes further to define who can access it and under what conditions. Some regulations allow data to remain local while still being accessed remotely; others restrict access strictly to systems within the country.
These nuances have direct consequences for payments, fraud detection, and reporting, shaping how signals are collected, analyesd, and acted upon. For instance, complying with storage requirements might look like a job well done, but if the wrong systems or teams can query the data, a merchant may still be in violation.
Accounting for this distinction calls for treating transaction processing separately from analytics, fraud evaluation, and reporting functions. Keeping these layers independent allows merchants to comply with local regulations while still retaining a unified perspective on risk. Standard, rigid architectures struggle under these evolving requirements, for it’s the ability to remain flexible that enables systems to adjust over time. This is why trying to retrofit localisation onto older, inflexible systems often creates friction, inefficiencies, and operational gaps that can undermine fraud detection.
A more adaptable payment architecture can make it easier for merchants to adjust to new regulations without overhauling their entire system. Different markets have varying rules around data residency, payment processing, and reporting, so being able to route transactions through local providers when necessary ensures compliance while maintaining operational efficiency. At the same time, keeping sensitive data within required boundaries while maintaining consolidated oversight of logic and reporting helps preserve visibility across the system.
Similarly, modular fraud tools and flexible routing make it possible to fine-tune risk controls for individual regions in response to local patterns of fraud, without losing sight of the broader picture. Balancing local responsiveness with centralised insight creates a structure for managing regulatory and operational challenges, while avoiding the fragmentation that can happen when compliance and management are handled in isolation.
The last thing fraud detection needs is a myopic view
As businesses expand across markets and localisation requirements grow, thoughtful design and careful coordination must go hand in hand. Clear data paths, consistent access controls, and a deliberate separation of sensitive and non-sensitive information can provide the foundation for adaptability, while orchestration provides a framework to connect local operations with global insight.
Without balancing complexity with structure, merchants risk duplicating rules across markets, fragmenting systems, and escalating operational overhead. Coordinating processes across regions doesn’t mean bypassing local requirements but linking them together. Even as transactions and data remain region-specific, insights, risk logic, and reporting should feed into a single, coherent view of risk. Ultimately, merchants need to detect and respond to threats quickly and clearly, without running into regulatory issues.
John Lunn, CEO and co-founder of Gr4vy
