Data is vital to nearly any business operating in today’s digital economy, and the financial-services sector is no exception. Financial institutions, whether large legacy banks or small fintechs (financial-technology firms), need efficient access to data to make better, more informed decisions as part of their recurring business processes. However, data silos and boundaries driven by regulatory and privacy imperatives are often crippling obstacles to making true data-driven decisions. Such barriers also hamper financial organizations’ ability to fight issues such as fraud and money laundering, which are massive global challenges. According to the United Nations Office on Drugs and Crime (UNODC)1, an estimated 2 percent to 5 percent of global gross domestic product (GDP), or US$800 billion to US$2 trillion, is laundered globally every year.
In addition to fighting crime at this incredible scale, financial institutions are subject to some of the world’s most stringent data-protection regulations, including the General Data Protection Regulation (GDPR) in the European Union (EU) and the Gramm-Leach-Bliley Act (GLBA) in the United States. Failure to comply with these laws can result in significant fines, legal consequences and reputational damages. To help mitigate the risks of compliance breaches, hundreds of millions are spent each year on solutions designed to enable KYC (Know Your Customer) and CDD (Customer Due Diligence) within these regulatory guardrails.
Despite such needs, few current efforts focus on protecting data while it is being used or processed, enabling financial organizations to leverage customer intelligence and other sensitive data across jurisdictions or between silos. That trend is beginning to shift as the visibility of a group of technologies known as privacy-enhancing technologies2 gains recognition for the category’s ability to harness the power of data while addressing many of these big-picture challenges.
Transformative Technologies
Until recently, the discussion of privacy-enhancing technologies, or PETs, had not fully permeated the broader commercial market. However, thanks to visible efforts by global groups, including the United Nations3, the Royal Society4 and the United States and United Kingdom governments5, industry leaders in financial services and beyond are beginning to recognize the benefits of this transformative family of technologies. Gartner6 recently predicted that by 2025, 60 percent of major organizations and government bodies will use one or more privacy-enhancing computation techniques in areas such as analysis, strategic monitoring and cloud computing. The UK’s information commissioner, John Edwards, further backed this notion upon the recent launch of the ICO’s PETs guidance7: “If your organisation shares large volumes of data, extraordinary category data, we recommend that over the next five years, you start considering using PETs. PETs enable safe data sharing and allow organisations to make the best use of the personal data they hold, driving innovation.”
For financial-services firms, utilizing PETs enables data to be leveraged in a secure, privacy-preserving and efficient manner — a critical capability that drives organizations forward via intelligence-led decisions in business-relevant timeframes. The technologies can also be applied to machine learning (ML) applications, which are increasingly important for global businesses. Privacy-preserving machine learning, which is essentially PETs leveraged in support of ML, has emerged as a unique path to ensure that users can capitalize on the full potential of artificial intelligence (AI) and machine learning to more effectively extract value and harness the power of data to enable critical business functions. PETs were in fact highlighted as a key enabler of secure AI in an Executive Order8 on Safe, Secure, and Trustworthy Artificial Intelligence issued by President Biden recently.
One way PETs-powered solutions facilitate secure and private data usage is by enabling banks to securely crossmatch, search and analyze regulated data across silos while ensuring sensitive assets remain protected during processing. The ability to leverage more comprehensive datasets in this privacy-preserving manner improves outcomes by driving prioritization, enhancing enterprise data quality, reducing false positives and advancing the efficiency of internal efforts, such as financial-crime investigations. All of these gains drive greater operational efficiency in ways that were not previously possible.
Privacy Enhancing Technologies in Action
Homomorphic encryption (HE) is a crucial pillar of the PETs category. In its most basic form, it secures data in use9 by allowing computations to occur in the encrypted domain. If, for example, encryption was a vault protecting sensitive data, traditional practices would require taking that data out of the vault every time it needed to be used or processed. This exposure leaves the data and the operation vulnerable. HE allows these actions to occur within the vault, ensuring the interaction and corresponding results remain protected.
Using HE, banks and financial institutions can securely collaborate across organizational or jurisdictional boundaries without introducing new, sensitive variables into the organizations’ data holdings. Bank analysts can encrypt their searches within the bank’s trusted environment. An encrypted query can then be sent to other jurisdictions where it can be processed while ensuring sensitive or regulated content is never decrypted or exposed to outside parties.
This allows data to be used without compromising regulatory or security boundaries or increasing organizational risks. By protecting data while it’s being processed, HE also allows financial institutions to securely leverage external data assets, such as commercial data sources or public datasets, in a decentralized manner without exposing sensitive indicators.
For AI and ML applications, PETs can also be used to protect models and allow them to be securely leveraged outside the trusted walls of a financial institution. Via PETs-powered secure AI, analysts can use machine-learning models to extract insights from data sources residing in other jurisdictions or owned by third parties securely, even when using highly sensitive or proprietary models and those trained on sensitive data.
For example, if a bank wants to evaluate an ML model relating to customer risk over datasets in another operating jurisdiction, it must respect regulatory restrictions relating to data localization while ensuring the privacy and security of the regulated data upon which the model was originally trained. Using HE to encrypt the model, the bank can safely evaluate that encrypted model across multiple jurisdictions to improve outcomes.
Another pillar of the PETs category, secure multiparty computation, can be used to enable cross-jurisdictional model training. In this scenario, a bank wants to train its ML risk model over regulated datasets in another country but needs to protect the model during the training process to ensure the privacy and security of both the regulated data upon which the model was originally trained and the cross-jurisdictional regulated training data. If the model were visible during the training process, it could be easily reverse-engineered to extract information, and the organization could be at risk of violating regulatory restrictions. This makes any exposure of the model a direct liability for the bank. Leveraging a PETs-powered encrypted training solution, the bank can safely train its encrypted ML model across datasets without moving data or pooling it in a single location, improving its risk model and enabling more informed decision-making during customer onboarding.
The Value of PETs
Data is a crucial component in the successful operations of today’s businesses, and the importance of securely leveraging this data needs to be a priority, especially in regulated industries such as financial services. As data consumers become more familiar with the family of technologies known as PETs, they understand the business-enabling impacts of these new capabilities: unlocking data’s value while respecting regulatory and security boundaries.
We are now at a tipping point at which the need to leverage global data sources is becoming ubiquitous. Efforts to expand our collective understanding of the value of PETs are essential, as these technologies can enhance our ability to leverage data securely and privately across silos to extract insights and unlock value. By advancing our abilities to secure and privately use data at scale, PETs will solidify their place as transformational technologies of the digital era.
This article was originally published in the Autumn/November 2023 edition of International Banker. Find the original version here.