Need one common standard on AI regulation: Mastercard's Caroline Louveaux

Mastercard's chief privacy officer calls for principle-based, tech-neutral global AI rules to build trust, cut regulatory fragmentation and enable AI adoption at scale

Caroline Louveaux, Mastercard’s chief privacy officer, says a global regulation on artificial intelligence is important to help build trust in the new technology. In a conversation with Avik Das on the sidelines of the AI Impact Summit, she calls for laws that are principle-based, future-proof and tech-neutral to help enterprises adopt AI at scale. Excerpts: 

How do you get the balance right between data responsibility, privacy and artificial intelligence at Mastercard? 

For a company, it is really important to have a couple of things. One, to establish global principles or at least strong principles. At Mastercard, we have data and technology responsibility principles — about six or seven — that guide everything we do with AI. It is really important to be accessible to the employees and to truly instil that culture throughout the company. Then, of course, you need to translate these principles into practice and that is a hard task. 

These principles include privacy, security, accountability, transparency, inclusion and fairness. We have a very strong AI governance programme co-owned by myself, the privacy team and our chief AI officer. All the new innovations come to us and we review them against our principles and all the laws. We designed a framework where we incorporated all the legal requirements because AI is not operating in a vacuum; it is already regulated. Then we recommend controls and safeguards before it can be launched. 

How aligned are regulators globally when it comes to regulating AI and how are the regulations evolving?

 

It is a bit of a headache. So the principles are usually very similar, but then when you go a level down, we face a soup of digital regulations. AI is being regulated by AI but also by privacy laws, cybersecurity, digital identity and many other laws. That increases cost and complexity and does not provide the legal certainty that we need. So I do think there is a need for collaboration across all governments, and also to have common principles and standards.

 

How are you embedding AI and GenAI to make transactions more secure or improve fraud detection techniques?

 

For agentic commerce, it raises huge opportunities but also novel types of risks and challenges. Some of our major principles include knowing, verifying and trusting the agents before they act and initiate a transaction. Second is security and privacy by design, and we are leveraging our advanced capabilities in terms of tokenisation. The third guardrail, which is new, is intent because we want to make sure that if you want to make a transaction with an agent, you remain in control of what you authorise the agent to buy for you. And the last is about traceability and auditability — being able to reconstruct what happened so that if you have this issue, you can have redress and dispute resolution mechanisms.

 

Where has Mastercard seen the maximum impact of AI?

 

For us, it has definitely been in the fraud space. We have used GenAI techniques that help us increase the speed and the accuracy of our fraud detection tools by up to 300 per cent, which is really a game changer. We have launched AgentPay, the agentic commerce solution to enable consumers to make agentic payments — so asking an AI agent to make a payment on their debit card.

 

As countries focus more on sovereign AI, is there an increased likelihood of complying with data localisation?

 

You have many countries going for privacy, AI governance and allowing data to flow. Because, let us be honest, if you want AI to deliver fair outcomes for everyone, you need to have access to global data sets. AI relies on a lot of data to be trained for being inclusive and fair. Rather than data localisation, data should be flowing more because, from the security standpoint, cybercrime does not respect borders and fraudsters act on a global scale.

 

What would an ideal balance be between privacy, sovereignty, regulation and AI innovation?

 

From a policy perspective, we would need to have one international standard and then local guidance to say how these principles really apply in a certain market, taking into account the country, cultural differences and languages. What worries me is the fragmentation of regulations and lack of trust between countries.

 

Can you scale AI without regulating it?

 

We need good regulations that are principle-based, future-proof, tech-neutral and aligned with international principles. It provides businesses with what they need in terms of clarity in the guardrails. If you have a lot of heavy brakes, the car is going to go slower because everybody is scared. But with proper brakes, the car can go much faster.

 

How to make AI trustworthy to users?

 

Transparency and explainability are very important in the context of AI. You need to be able to explain how AI is making the decisions, how it is being trained, how individuals can stay in control. And this is obvious, but it is not that easy to do.

 

For example, when we use AI to fight fraud, it would not make sense for us to give detailed information to consumers about how our fraud algorithms work, because we would give ammunition to the fraudsters to game the system and circumvent our rules.

 

So we are leading a conversation with regulators and industry players to explore what it would look like and to provide practical guidance for the industry. Because I think at the end of the day, if you cannot explain how decisions are being made, it is not optimal for trust and to provide consumers with redress if they need dispute resolution.