Emerging privacy enhancing technologies (PETs) are the new blind spot in digital banking

The Mobey Forum is an independent industry association that connects thought leaders together to identify commercial drivers for the development of better digital commerce. In their latest research, the group shines a spotlight on the importance of emerging privacy enhancing technologies and their potential role in supporting risk mitigation and business innovation.

Data driven innovation is currently restricted

According to the Mobey Forum’s AI & Data Privacy Expert Group, in today’s data-driven world, the banking industry relies too heavily on legacy data privacy enhancing technologies. This reliance, together with the restrictions on financial data usage imposed by regulations, is inhibiting data-driven innovation across the industry.

A ‘privacy blind-spot’ is becoming increasingly critical in today’s financial services climate, where organisations are constantly challenged to balance innovation without compromising how sensitive data is stored or shared. However, a new breed of emerging privacy enhancing technologies (PETs) may provide the answer to mitigating risks and enabling business innovation to continue apace.

Amir Tabakovic, CEO and Founder at Experiens.ai and AI & Data Privacy Expert Group Co-Chair, says: “Banks face many obstacles when taking a data-driven approach to innovation. Widely adopted legacy privacy technologies are now failing and increasing privacy-related risks. This can quickly become a complex topic, with issues being impacted by legal, business and technology factors. Understanding the underlying problems can be difficult and thanks to a rapidly changing privacy landscape, many legacy solutions can no longer be applied to today’s challenges. The net result is the stalling of both internal innovation and the creation of multi-stakeholder ecosystem use-cases. This is the current blind spot.”

PETs support innovation

The report highlights a new breed of emerging PETs that create the potential for financial service organisations to both significantly reduce existing privacy risks and allow the implementation of privacy-by-design principles.

Amir adds: “Emerging PETs are bringing forward new approaches to fill the void and clear the path to innovation. The speed at which banks can adopt these new approaches will determine their capacity to get ahead of the game in data-driven innovation.”

The report’s authors stress that if the industry can adopt a strategic approach to PETs, its key institutions may finally escape the privacy versus value creation dilemma, in which privacy protection occurs at the expense of innovation (and vice versa).

Ville Sointu, Head of Emerging Technologies at Nordea and AI & Data Privacy Expert Group Co-Chair, says: “The digital banking industry is walking a fine-line between consumer protection and collaborative innovation. Across the board, financial institutions must find a way to create new value out of data without compromising privacy. A new approach is required, one that enables emerging privacy enhancing technologies to solve some of the key challenges in this space, such as how to process anonymous and encrypted data without losing value, even when no details about private data are shared.”

Emerging privacy enhancing technologies

PETs use different computational, mathematical and statistical approaches to extract data utility while preserving the privacy of the information. Critically, emerging PETs seek to find a space between trust and re-identification hacks.

Ville says: “Between the two privacy enhancing technologies generally in use today; which are restricting access and anonymising data, we have now recognised the area that we call emerging privacy enhancing technologies. The idea is that you use advanced techniques to basically allow analytics services and artificial intelligence to process data without revealing ANY details about the data. For example, with homomorphic encryption you share fully encrypted data. As it’s completely encrypted, you’re able to share it with a third party without giving any decryption keys into the data, allowing them to process it and then come back with meaningful insights about that data. This is even though they never saw the underlying data. Of course that creates a lot of questions. How is that even possible? This is enabled by advanced algorithms and mechanisms that are being used here, made possible with modern processing power, for example.”

The report highlights some of the most promising emerging PETs as being ‘encrypted analysis’, ‘anonymised computing’ and ‘high dimensional anonymisation’:

Encrypted analysis

Until recently, it was necessary to decrypt data before it could be analysed or manipulated. This meant that encryption couldn’t be used in some parts of the data value chain. Enabling encrypted data to be analysed and manipulated eliminates this limiting factor, together with the associated privacy risk.

• Homomorphic encryption - Homomorphic encryption is a privacy preserving technology that allows third parties to process and, in some instances, even manipulate encrypted data without ever seeing the underlying data in an unencrypted format. Thus, data can remain confidential while it is processed, enabling useful tasks to be performed with data residing in untrusted environments.

Anonymised computing

Anonymised computing is a term used by the report’s authors to describe a designated group of methods that focus on analytical processes and introduce various privacy features into the process.

• Secure multi-party computation – As the name suggests, secure multi-party computation (MPC or SMPC) is a cryptographic technique that allows several different parties to jointly compute the encrypted data. In other words, MPC allows the joint analysis of data without sharing it. In this way the data remains protected from third parties. Only the participating parties can determine who is allowed to view the outcome of the computation.

• Federated learning – The federated learning concept removes the need to share sensitive data in order to perform machine learning. Traditional machine learning approaches usually try to gather data from relevant sources into one processing environment and feed it into a single machine learning model. In contrast, federated learning advocates the use of multiple versions of a central model that are distributed to the relevant sources, where they are trained and operate locally. Only the adjustments to the model based on the local training get played back to a central version of the model that acts as a general template.

High dimensional anonymisation

High dimensional anonymisation is a term used by the report’s authors to describe anonymisation methods dealing with large datasets that would otherwise be difficult to anonymise.

• Representative AI-generated synthetic data – Replacing real data with fabricated data is not a new idea. The most rudimentary way of doing it is by replacing the data with randomly generated place holders – dummy data. A slightly more sophisticated way of fabrication, “fake data”, is performed by manually imposing some rigid business rules or correlations between attributes of the dataset. Both methods have no analytical value, and the replacement data is not used to derive analytical insights. A new approach to creating data that is representative of the original dataset is to use AI to create synthetic data that is highly statistically representative of the original data but at the same time is fully private.

• Differential privacy – Differential privacy is a rigorous mathematical definition of privacy. In the simplest setting, consider an algorithm that analyses a dataset and computes statistics about it. Such an algorithm is said to be differentially private if by looking at the output, one cannot determine whether or not any individual’s data was included in the original dataset.

Protecting data privacy

It is hoped that with the emergence and uptake of new privacy enhancing technologies, data will be able to be used whilst protecting the private individual.

Ville says: “The idea is to move into zero trust in a sense that banks can in a completely privacy protecting way, use the data for creating better analytics services and improved solutions for their customers. This at the same time as not compromising at all on the actual privacy of the customer data. It is really this interesting meeting point between access control and anonymisation techniques, kind of in between, so getting a little bit of the best of both worlds. It’s never as clear as that though of course. It’s early days for these techniques and it’s yet to be seen which one of them will become mainstream. Actually it ends up being almost always a combination of multiple things depending on what you do. It’s almost never just a single technology that is used to solve your needs.”

“The key thing is collaboration. Finding a way to protect the privacy of the customer and collaborate with other industry providers in a way that doesn’t break the competitive nature of the industry either. Some banks actually have already taken steps towards using these technologies in the areas of assessing credit risks and fighting financial crime. Banks can now make a choice. They can continue to process the data internally behind lock and key and do the best they can. However, the future is in collaboration and I think it’s up to the banks now to decide if they want to move forward with developing these new types of privacy enhancing technologies to allow those ecosystem benefits to become a reality. It’s time to start working on these things instead of doing your own internal processing to a large extent,” concludes Ville.

Mobey Forum’s AI and Data Privacy Expert Group was formed in March 2020 to address how banks and other financial institutions can strike the balance between data privacy, security and innovation in the age of Artificial Intelligence (AI). This report is the first in a two-part series. The second part is anticipated later in 2021 and will take a deeper dive into the different PETs, their variable stages of maturity, and their potential to solve some of the most urgent privacy risks that banks face today.

You can read more about the Mobey Forum here.

To discuss the themes mentioned in this article further, write to Ville at ville.sointu [at] nordea.com (ville[dot]sointu[at]nordea[dot]com).