HBP# IM1225

IMD-7-2288
17.03.2022

MASTERCARD’S ETHICAL APPROACH

TO GOVERNING AI

Professor Öykü Isik and Researcher Dr Lisa Simone Duke prepared this case as a basis
for class discussion rather than to illustrate either effective or ineffective handling of a
business situation.

Copyright © 2022 by IMD – International Institute for Management Development, Lausanne, Switzerland
(www.imd.org). No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means without the prior written permission of IMD.

This document is authorized for use only in Jose Teixeira's 2606-Data Ecosystems and Governance in Organizations TA,TB S1 2023-24 at Universidade Nova de Lisboa (UNL) from Sep 2023
to Dec 2023.
 IMD-7-2288
MASTERCARD’S ETHICAL APPROACH TO GOVERNING AI

The Mastercard team – Caroline Louveaux (Chief Privacy Officer), JoAnn Stonier (Chief
Data Officer) and Rohit Chauhan (EVP, Artificial Intelligence) – reflected on Mastercard’s
process to respond to the increasing use of artificial intelligence (AI). What did it mean for
the company’s values, its product development and its Privacy by Design and AI
Governance Framework and, in the future, how should these challenges be tackled?
Mastercard, a global technology company in the payments industry, was known as a
leader in Privacy by Design and Data Responsibility; employees followed strict guidelines
and robust frameworks to make sure data was leveraged only in ways that were ethical,
compliant within the regulatory environment and enhanced the consumer experience. The
company viewed AI as a significant part of its business strategy, using it to fight fraud,
improve the consumer payment experience, increase efficiencies and decrease costs in
back-end systems. As well as developing AI applications internally, Mastercard had
acquired several businesses to expand its capabilities. One particular acquisition would
enable it to use AI to solve expensive and time-consuming dispute resolution by reducing
processing from 120 days to less than 24 hours and decreasing the cost by 75%.

When Johan Gerber, EVP Security & Cyber Innovation, led the integration of the business,
he needed to ensure the acquisition met Mastercard’s high data protection standards.
During the review, he quickly realized there were Privacy by Design challenges relating to
this new data that needed to be addressed so that his team could bring it into Mastercard’s
secure facilities in a way that aligned with its values. The only thing Mastercard typically
knew about cardholders was their card number; all other personal details were held by
their bank. Mastercard had, over the decades, actively communicated that it did not want
access to more data than absolutely necessary to achieve a specific purpose. Gerber
immediately involved the privacy and data governance teams, working with them to identify
solutions that abided by the Mastercard Data Responsibility Imperative, Privacy by Design
and the Mastercard AI Governance Framework. The integration process took three years
and was resource intensive, necessitating new data centers, and addressing security
requirements and data access controls.

Mastercard believed that the combination of a solid Privacy by Design process and
additional governance specific to AI – “the AI Governance Framework” – was the right
approach for the long term to maintain consumer trust. This approach meant making
organizational and managerial choices to ensure that AI governance did not result in a
reduction in innovation. The speed of AI integration and need for ethics in data practices
would only increase. What would this mean for Mastercard’s business model, profitability
and innovation capabilities in the future?

© 2022 by IMD 2
This document is authorized for use only in Jose Teixeira's 2606-Data Ecosystems and Governance in Organizations TA,TB S1 2023-24 at Universidade Nova de Lisboa (UNL) from Sep 2023
to Dec 2023.
 IMD-7-2288
MASTERCARD’S ETHICAL APPROACH TO GOVERNING AI

ABOUT MASTERCARD
“Mastercard is a technology company in the global payments industry that connects
consumers, financial institutions, merchants, governments, digital partners, businesses
and other organizations worldwide, enabling them to use electronic forms of payment
instead of cash and checks.” 1

Founded in August 1966, the Interbank Card Association (ICA) was formed by a group of
American bankers as an umbrella for Master Charge – a credit card payment system. The
association was governed by consensus between member banks, which established
guidelines for card authorization, clearing and settlement. Within two years the system was
launched internationally. Innovations included a computer network to replace telephone
authorizations in 1973, the magnetic strip that appeared on cards in 1974, and the
automation of card slips in 1975, which replaced mailing them. In 1979, Master Charge
became MasterCard. Further automation improved authorizations worldwide in the 1980s.
After its acquisition of Cirrus, the largest ATM network in the world, in the 1990s,
MasterCard holders were able to withdraw cash at over 50,000 locations across the globe.
MasterCard introduced the Maestro debit system in 1991, enabling cardholders at
participating banks to pay for transactions directly from their current accounts. By 2021,
Mastercard employed approximately 21,000 people globally. Its net revenues were
US$15,301 million (US GAAP) down 8% on 2019 due to COVID-19 impacts.

Mastercard was created to authorize payments and clear transactions and payments.
Mastercard’s customers were issuing banks and retailers/e-tailers. Banks offered their
customers Mastercard branded cards to make purchases while retailers (merchants)
agreed to accept the card for purchases. When a consumer purchased a product, the
retailer’s payment terminal digitally transferred information via Mastercard’s technology
to the bank to verify that they would accept the payment. Data were transferred instantly
through the system to authorize the payment and transfer the funds from the issuing
bank to the merchant bank (acquirer), as shown in Figure 1. Mastercard did not know
who the consumer was, only that card number x had made a purchase. The issuing bank
held all other personal data on consumers, including their name, contact details and what
they purchased.

1 Mastercard Incorporated, Form 10-K, 2020, https://s25.q4cdn.com/479285134/files/doc_

financials/2020/ar/MA.12.31.2020-10-K-as-filed-w-exhibits.pdf.

© 2022 by IMD 3
This document is authorized for use only in Jose Teixeira's 2606-Data Ecosystems and Governance in Organizations TA,TB S1 2023-24 at Universidade Nova de Lisboa (UNL) from Sep 2023
to Dec 2023.
 IMD-7-2288
MASTERCARD’S ETHICAL APPROACH TO GOVERNING AI

Figure 1: Mastercard’s Core Business Model

Source: Mastercard

In the case of a query, Mastercard issued the bank with a record of the transaction. It
also followed up and anticipated potential fraud.

AI AT MASTERCARD
Mastercard’s vision was to become an AI powerhouse, enhancing its products and
solutions as well as improving its own operations to become more efficient and effective.
The company saw AI as a powerful tool to support its fraud prevention and cybersecurity
processes including fighting money laundering.

There were various steps to designing an AI algorithm – identifying the problem (what
are you attempting to solve? or What is the desired outcome?), preparing the data
(organizing and cleaning it, checking for inconsistencies, labelling if needed), choosing
the algorithm and training the algorithms (with data). Rohit Chauhan, who led
Mastercard’s AI Garage (created in 2018, where the data scientists work), explained:

What makes AI different from traditional computer systems is driven by

how AI models are trained. In normal non-AI systems, you write the rules,
and you train the model by giving it the rules of how exactly it needs to
react. However, in an AI system, you just provide the data and you let the
data train the model, so that it can then produce its own rules to be able to
reach the desired output.

Mastercard was aware that one common issue in AI deployment could be the biases
inherent in datasets.

© 2022 by IMD 4
This document is authorized for use only in Jose Teixeira's 2606-Data Ecosystems and Governance in Organizations TA,TB S1 2023-24 at Universidade Nova de Lisboa (UNL) from Sep 2023
to Dec 2023.
 IMD-7-2288
MASTERCARD’S ETHICAL APPROACH TO GOVERNING AI

In a recent example from a medical school, AI-driven translation software was trained not
by linguists but by feeding it 5,000 different books in English that had also been translated
into French. The AI model then created a rule that took the sentence in one language and
converted it into the other. If in the books used, doctors were always referred to as “he,”
then the AI would associate doctors with males. If the nurses in the books were referred to
as “she,” then the AI would associate nurses with females. So, when the AI was deployed
to check applications to medical schools, it would likely screen out female applicants in
favor of male applicants. The bias didn’t come from any ill intent from the developers but
from the non-representative dataset.

AI is trained by providing it with a set of inputs and their related outputs. Given this input-
output relationship, Mastercard created its own rules to, amongst other things, solve for
inherent biases in the data. Transparency and explainability were top of mind so that AI
could replicate the same logic given a new series of inputs.

A second issue that Mastercard wanted to pay attention to was the biases of those
creating the algorithms. Inadvertently, AI developers could bring their own perspectives
drawn from their education, life experiences, upbringing, whether they were men or
women, religious perspectives, and nationality/cultural biases. These all could have an
impact on the question the AI had to answer.

It was with these potential issues in mind that the team at Mastercard developed the AI
Governance Framework to complement its already existing Privacy by Design process.
The framework would ensure that full due diligence was put in place when a model was
built. The data and algorithms would be evaluated, and any potential biases would be
proactively identified and mitigated. An AI Governance Council was given a mandate
from the executive team and formed to ensure that all issues were managed in a
coordinated way.

A principled approach to data

Mastercard had a culture based on decency – the so-called Decency Quotient 2 –
meaning that the company and individual employees wanted to do the right thing. This
flowed through all processes and interactions and, particularly, with regard to data, as
explained by JoAnn:

Two years ago, we launched the Data Responsibility Imperative – a culture

of awareness around data that if we’re going to be a technology and data
company, everyone needs to understand that all our data practices have
to be responsible. One of our principles is integrity – integrity in our data
and data practices. We have put a lot of the thinking around AI under
“integrity.” Data ethics fits perfectly there. Everyone was trained as to what
that means.

2 https://www.mastercard.com/news/perspectives/featured-topics/decency/

© 2022 by IMD 5
This document is authorized for use only in Jose Teixeira's 2606-Data Ecosystems and Governance in Organizations TA,TB S1 2023-24 at Universidade Nova de Lisboa (UNL) from Sep 2023
to Dec 2023.
 IMD-7-2288
MASTERCARD’S ETHICAL APPROACH TO GOVERNING AI

Mastercard considered that this approach was an essential part of its identity and brand
and that it benefitted the company. It believed that in the future, consumers and
organizations would gravitate towards actors that demonstrated they were doing the right
thing with personal data. The company took a stand that data practices should be guided
by the rights of individuals based on six principles (see Figure 2).

Figure 2: Mastercard’s data practices and principles

Source: Mastercard

The AI Governance Council

There were three main teams at Mastercard with a data governance focus: Privacy – led
by a Chief Privacy Officer; Data Strategy & Management – led by a Chief Data Officer; and
AI – led by the EVP, Artificial Intelligence. The three leaders of these teams met regularly
to discuss new regulations or regulatory guidance and any use cases that were sensitive
from a legal, regulatory, commercial, or reputational perspective. Together they formed the
AI Governance Council, which also included Mastercard’s Chief Security Officer. The
Council also involved other senior leaders depending on the context of the use case. For
example, the Head of HR would participate if an AI application on recruitment was being
considered, or the Head of Fraud for matters concerning fraud monitoring and prevention.
External experts could also be contacted when certain opinions or skills were required.
Caroline explained the origin of the AI Governance Framework:

We developed the framework starting in 2017 because it became clear that

more could be done in terms of AI beyond our already strong “Privacy by
Design” process. Due to AI’s specificities and potential implications on

© 2022 by IMD 6
This document is authorized for use only in Jose Teixeira's 2606-Data Ecosystems and Governance in Organizations TA,TB S1 2023-24 at Universidade Nova de Lisboa (UNL) from Sep 2023
to Dec 2023.
 IMD-7-2288
MASTERCARD’S ETHICAL APPROACH TO GOVERNING AI

society, geographies, and populations, we decided we needed to start

formulating our governance process before expanding the activities of our
AI Garage and before being legally required to do so. We knew it would be
an iterative process, as we were unlikely to get it right the first time.

Meeting on a regular basis enabled the Council members to understand the objectives
and priorities of the business in advance of work being started. The team was then able
to advise on how to minimize negative impacts based on their understanding of the
objectives. Mastercard already had a product development process that all new products
had to pass through, and privacy was part of it. This process brought teams together to
brainstorm and design products that were privacy-preserving and ethical.

The AI governance process

Ethical AI at Mastercard meant having an AI algorithm deployed and used in a way that
went beyond mere legal compliance but also genuinely took into account the impact on
people (individually) and society (collectively). Artificial intelligence is composed of three
distinct parts: data inputs, algorithmic process – the creation of the algorithmic equations
and inquiry – and then application of the AI. JoAnn explained:

We’re looking for disparate impact or fairness in the outcomes on

individuals as well as on the inquiry that you've started out answering. The
ethics of AI are still being defined, but the idea is that you are not building
artificial intelligence or machine learning that is distinctly biased in some
way, in any one of those areas or multiple areas. As the machine begins
to learn, what you want to avoid is that it amplifies incorrect assumptions
or inherent biases.

A balance was necessary to ensure that the AI governance process was not started too
early when there was still insufficient information about the data that would be used or
how it would be used. Informal conversations with the EVP, Artificial Intelligence ensured
that the process started when a project was mature enough to conduct a fairly thorough
review and analysis. Timing was still a work in progress. When personal data was
involved, the privacy team also initiated the Privacy by Design process. Caroline
described:

There are lots of synergies between the two processes. We work together
as one team; we document things in a way that is compliant with the GDPR
and other privacy laws globally. In addition, we work together with the AI
and the Data teams in order to complete the bias assessment. So, the two
processes go hand in hand and reinforce each other as they run in parallel.
The outcome of the Privacy by Design process feeds into the AI
governance review process and vice versa.

© 2022 by IMD 7
This document is authorized for use only in Jose Teixeira's 2606-Data Ecosystems and Governance in Organizations TA,TB S1 2023-24 at Universidade Nova de Lisboa (UNL) from Sep 2023
to Dec 2023.
 IMD-7-2288
MASTERCARD’S ETHICAL APPROACH TO GOVERNING AI

When a new product or service was to be created, the business in question would
approach the Privacy team and the Privacy by Design process would begin (see Figure
3 for steps). This was all set against laws and regulations in the various territories.
Compliance was a strong driver and keeping up with any new laws and regulations was
essential. Pagona Tsormpatzoudi, Vice President – Senior Managing Counsel, Privacy
& Data Protection, summarized the five-step process:

The entire process is a loop. In Engage we gather facts and see whether
the product requires a Privacy by Design assessment. This typically
involves gathering information about the product, including whether
personal data is involved. Document is to identify the framework that will
be used to assess the product/service. We have developed specific
frameworks for business lines with unique needs. Assess is for the team
to identify the risks against privacy and data protection laws – rights over
data use, transparency requirements, whether there is a process in place
to respond to an individual’s enquiries, is there an opt-out option? Also, a
data protection impact assessment, for sensitive activities. For example, if
AI or biometrics or health data are involved, additional factors need to be
assessed. In Mitigate the team provides guidance and recommendations
on privacy controls and agrees on a plan to implement the
recommendations. Audit discusses and keeps a record of any residual
risk after the recommendations have been implemented or a retrospective
review to close the loop. But if a business wants to add a new feature to
the product/service, work with a new service provider or add another
purpose to the product/service, then the loop starts again.

Figure 3: Privacy by design process

Source: Mastercard

© 2022 by IMD 8
This document is authorized for use only in Jose Teixeira's 2606-Data Ecosystems and Governance in Organizations TA,TB S1 2023-24 at Universidade Nova de Lisboa (UNL) from Sep 2023
to Dec 2023.
 IMD-7-2288
MASTERCARD’S ETHICAL APPROACH TO GOVERNING AI

The team looked at the principle of fairness to ensure that the technology treated people
fairly and appropriately. They explored questions such as what methodologies were used
to check and eliminate bias? Had a methodology been used to ensure that the algorithm
did not drift from its intended purpose? How was data quality being ensured? Because
Mastercard operated in the B2B space, it identified creative ways to be transparent in
explaining how its AI algorithms work so its customers could explain them to their own
customers: the consumers. The process could be lengthy, but this always depended on
the maturity of a product service. For a new solution involving entirely new models it
could take a year or even longer.

If a problem was identified, the data scientists had a toolbox of technical remedies to
apply. This included using specific methodologies to identify any type of bias and to
mitigate for that bias. In some situations, the Data team and the Privacy team needed to
advise on other potential remedies. For example, a “people remedy” could be to make
sure there was good diversity in the teams working on AI in terms of different
backgrounds, skills, cultures, race and gender. One recent example was brought on
during the COVID-19 pandemic, when a higher number of online transactions created a
unique situation. The data used to train the AI model was based on the concept of
population stability – a regular level of transactions usually seen from a population in a
given location or from a given population. With the sudden higher level of online
transactions during the pandemic, the level and type of transactions might have been
different from what was normal for this population, which could have been due to fraud.
The AI team had to check the model to ensure that it didn’t drift, and that the transaction
activity was correct and not due to fraud. Figure 4 shows the AI Governance Framework.

Figure 4: AI Governance Framework

Source: Mastercard

© 2022 by IMD 9
This document is authorized for use only in Jose Teixeira's 2606-Data Ecosystems and Governance in Organizations TA,TB S1 2023-24 at Universidade Nova de Lisboa (UNL) from Sep 2023
to Dec 2023.
 IMD-7-2288
MASTERCARD’S ETHICAL APPROACH TO GOVERNING AI

1. Purpose evaluation – to determine whether a specific use case for AI aligned

with Mastercard’s values, i.e., to protect the individual and make a specific
process more efficient and accurate.

2. Data evaluation – to establish whether the data was the right data in terms of its
availability and quality.

3. Use case evaluation and data model design – to evaluate the data in light of
the specific use case (was it fit for purpose?) and to design the different
parameters around it. This step was crucial since it also focused on eliminating
bias – what factors could be researched in the data to confirm the purpose and
pinpoint the types of bias that might be present?

4. Model risk scoring – to assess whether the models presented any risk once the
different factors had been identified and methodologies to eliminate bias had
been implemented. If the models presented medium/high risk, the AI Council was
consulted.

5. Model build and impact assessment – to test the model and look into it in
context. Did it make sense? Did it lead to good results?

6. Monitoring and audit – to assess how the AI performed in the longer term –
essentially monitoring in both the testing phase and production, where
testing/monitoring took place at regular intervals.

Challenges
In developing the framework, the team faced two immediate challenges. The first was
that there was no model or benchmarks. The team looked into literature and existing
research, and talked to AI experts, pulling these insights together into a robust
framework. This took considerable time. They took inspiration from the Privacy by Design
process and extended the new framework to look more deeply into the quality of the
data, how timely it was, whether it was accurate and where it came from. Their approach
was to understand the building blocks of AI and then go into details to ensure they had
considered all aspects of creating and using AI applications.

The second challenge was to get support on the need for the AI Governance Framework
from all internal stakeholders. Rather than halting development of the framework to get
full support, they decided to continue to build it and keep all teams in the loop. Caroline
explained the collaboration challenge:

First, IT teams and data scientists sometimes hope for the perfect solution
– a formula we can bring them that they can apply – but we don’t have one.
We have to find the answers together. We work with them to get them to
understand a new way of thinking – that we have to test out together and
adjust as we go along. That’s the new mindset and new way of working.
Second, Mastercard does not have a direct relationship with individual

© 2022 by IMD 10
This document is authorized for use only in Jose Teixeira's 2606-Data Ecosystems and Governance in Organizations TA,TB S1 2023-24 at Universidade Nova de Lisboa (UNL) from Sep 2023
to Dec 2023.
 IMD-7-2288
MASTERCARD’S ETHICAL APPROACH TO GOVERNING AI

consumers, so it can be challenging for us to assess whether the AI has the

potential to impact individuals. So, we partner with our customers (banks) –
they are better placed to identify impacts, for example, if there is potential
bias. Collaboration is key to get it right. This is one of the complexities – that
not everything is under our control. Last, there is a trust deficit in how
companies and governments use AI. It is therefore critical to have a robust
governance process in place to restore that trust.

Another challenge was the volume of work. Creating the framework was very labor
intensive for the team. It was important to ask the right questions and there was no best
practice rubric that existed to govern AI. The framework continued to evolve; every time
the team reviewed a model, they uncovered new aspects they needed to build into it to
ensure it was robust. The governance process was reviewed by several leading
academic institutions and their feedback was incorporated.

BUSINESS INTEGRATION ISSUES

Dispute resolution was resource intensive for banks and merchants, in some cases,
costing them 25% of their operating expenses. Disputes occurred when a consumer
returned goods (known as a chargeback) or queried a transaction that turned out to be
fraudulent. It could take up to 120 days for resolution between issuing and acquiring
banks and merchants. With the aim of reducing the time and costs involved, Mastercard
identified a business that had created a network linking merchants and banks that
addressed the issue through direct messaging both parties in a dispute, allowing for
faster resolution. The start-up also developed digital receipts, replacing easily lost paper
ones, that enabled consumers to review what they had purchased later on.

Typically, Mastercard would integrate the business to fully ensure that all data was kept
under its own stringent privacy and security controls. Johan Gerber explained:

When we looked at the data brought in by the business to the Mastercard

universe, we realized that this is not in accordance with our principles and
focus on privacy. The Privacy by Design process and the AI Governance
Framework really helped us to take a step back and focus on who we are
and what we stand for.

The solution was not to integrate but instead keep the start-up as a separate entity, only
sharing the data with Mastercard that was strictly needed for operational reasons, such
as HR and procurement systems. This also meant the start-up’s data had to be housed
in a more secure way according to Mastercard’s approach. In this case, new data vaults
were built to ringfence the data more securely with restricted access. In order to benefit
from being able to offer the digital receipts, systems had to be redesigned to ensure
appropriate privacy and security controls.

© 2022 by IMD 11
This document is authorized for use only in Jose Teixeira's 2606-Data Ecosystems and Governance in Organizations TA,TB S1 2023-24 at Universidade Nova de Lisboa (UNL) from Sep 2023
to Dec 2023.
 IMD-7-2288
MASTERCARD’S ETHICAL APPROACH TO GOVERNING AI

These actions and the loss of potential synergies from integration further contributed to
the costs. A couple of years later, another iteration of the Privacy by Design process and
application of the AI Governance Framework took place. This was triggered by
organizational change to achieve operating synergies and to improve sales by moving
some of the start-up sales strategy employees into Mastercard. Again, the issue of
access to data was flagged and had to be addressed, costing time and money. In all, it
took three years to address all the issues stemming from the integration.

INTO THE FUTURE

Mastercard continued to pursue its AI strategy. After the experience with the start-up
acquisition, the Privacy by Design process and the AI Governance Framework were
applied as part of due diligence during acquisitions. This resulted in Mastercard walking
away from at least two potential acquisitions. By taking this approach, however, the
company was adding to its costs across different dimensions, including human resources
and systems redevelopment. Would applying the framework reduce profitability? Another
challenge for the AI Governance Council and the Data teams was the increasing volume
of work involved in applying the framework – how could they find a balance?
Furthermore, if employees were afraid their ideas might contravene the framework,
would this stifle Mastercard’s innovation capabilities? Another topic being discussed was
how to audit Mastercard’s governance framework? What was the best way forward given
that other firms also seemed to be struggling with these questions?

© 2022 by IMD 12
This document is authorized for use only in Jose Teixeira's 2606-Data Ecosystems and Governance in Organizations TA,TB S1 2023-24 at Universidade Nova de Lisboa (UNL) from Sep 2023
to Dec 2023.