Financial institutions need a way to share financial crime information securely
The fight against financial crime has always been a team effort, with success driven by good communication and collaboration within anti-financial crime programs at financial institutions. There is also an ongoing trend toward collaboration among financial institutions in the form of information sharing. In the United States, section 314(b) of the USA PATRIOT Act permits two or more financial institutions, and any association of financial institutions, to “share information with one another regarding individuals, entities, organizations, and countries suspected of possible terrorist or money laundering activities.” (About 40 percent of U.S. depository institutions are currently registered to participate.) In the Netherlands, the three largest Dutch banks recently said they would establish an agency to monitor all their transactions. Regulators are encouraging information sharing too. Financial regulators in eight Nordic and Baltic countries agreed last year to share more information about money laundering threats. At the same time, the E.U.’s 5th Anti-Money Laundering Directive broadened access to beneficial ownership information registries.
It’s exciting to see momentum increasing for information sharing among financial institutions. I believe that increased information sharing will significantly bolster the global fight against financial crime by unlocking insights that would be impossible to glean otherwise. Just think of how sophisticated transnational criminal organizations operate: they use specialized cells for different functions. They often contract certain functions out, so what they do at one individual financial institution may look innocuous. But if anti-money laundering professionals can access data on how these individuals interact with other financial institutions, they can apply “scenarios without borders” to detect suspicious patterns in the individual’s entire body of transactions and behaviors.
To achieve this vision, however, financial institutions must first address some technical challenges. The current process by which financial institutions share information is relatively manual and inefficient, relying on forms sent back and forth via email. A better approach would be for information requests to be completely integrated into the compliance system, allowing investigators to initiate information requests from a case manager or even a graph-based network visualization.
Think of all the ways a system like this could improve investigations. What if, instead of guessing that an entity resolution engine matched the right parties, an investigator could get confirmation of specific information from an external party? Or perhaps when an event is created, an API asks some relevant questions of the counterparty to help determine the event efficacy? And then the answers to these questions are automatically included in the case before an analyst even opens it? We begin to unlock a whole new realm of efficiency and effectiveness, not thought possible before. With an easy way to securely and privately get answers from counterparties to investigative questions, investigators could clear cases more accurately and efficiently. We’d also likely see fewer “defensive” Suspicious Activity Reports (SARs) (i.e., SARs filed because activity couldn’t be explained).
Integrated information request functionality would also allow financial institutions to control security, authorization, and encryption. As a technology provider, I am mindful of the concerns and barriers to information sharing, including GDPR and other regional privacy requirements. To successfully share information, financial institutions must do so in a secure way and protect privacy and confidentiality. One way to do this is by using homomorphic encryption, a privacy-enhancing technology. To learn more about homomorphic encryption and its use in fighting financial crime, I spoke with Alon Kaufman, CEO and co-founder of Duality Technologies. This company enables secure digital collaboration.
J.E.: What are privacy-enhancing technologies in general, and what is “homomorphic encryption” in particular?
A.K.: Privacy-enhancing technologies (PETs) are a broad category of technologies designed to protect privacy throughout the data lifecycle. There are many PETs, including homomorphic encryption, multiparty computation, differential privacy, and more. It’s helpful to think of these different technologies as tools in a toolbox – each is the best-fit for a different type of problem.
Homomorphic encryption is a type of PET with an interesting property: it allows you to encrypt data and models and still use them for computation and analysis. This is important because, historically speaking, data could only be encrypted “at rest” and “in transit,” but now, data can be encrypted “in use.”
Because raw data is never exposed during analysis, this opens up various exciting opportunities to extract value and insights from sensitive data – particularly through collaboration with other parties. In the world of financial crime and compliance, homomorphic encryption enables financial institutions to share data internally across jurisdictions and with one another to aid in better detection, prevention, and investigation of different types of financial crimes, all while ensuring financial and privacy compliance.
J.E.: Besides homomorphic encryption, what other alternatives do financial institutions have for sharing information?
A.K.: This depends greatly on the jurisdiction and regulatory regime, and there’s quite a spectrum. Some countries have a lot of space for innovation, like the Netherlands, which just announced a transaction monitoring utility involving its top banks. Other jurisdictions may have mechanisms for information sharing but may restrict the types of data and insights that can be exchanged – the USA and Canada go into this bucket. Yet a third group of countries doesn’t allow information sharing between financial institutions at all, in any capacity – usually due to privacy and confidentiality concerns.
In countries that do allow information sharing, it’s usually a very manual process. For example, in the United States, it’s normal to wait several months for a response to a 314(b) information request and expect a response to around 30% of the sent requests. This, too, of course, means that the requestor’s investigations take longer and are less likely to be productive.
What this all comes down to, ultimately, is that a privacy-enhancing technology like homomorphic encryption can augment and enhance these existing processes quite significantly by speeding them up and help ease privacy and confidentiality concerns in areas where this has been a barrier to information sharing until now.
J.E.: Why does protecting privacy and confidentiality in financial crime matter?
A.K.: This is an important question to ask. While regulations around data privacy and financial crime vary across jurisdictions, this question gets to the heart of the challenge.
At its core, combating financial crimes mostly focuses on looking at transaction and entity information. This data may include personally identifiable information (PII), like names, addresses, and account numbers, which typically has to be protected both by law and business policy.
Additionally, there are other risk, liability, and competitive considerations one must take into account. First and foremost, financial institutions compete against one another, and to maintain that competitive edge, we need to ensure that data is kept confidential. Additionally, from a risk and liability perspective, firms want to ensure that the data they may be looking at or even collaborating on with other parties doesn’t lead to any tip-offs and isn’t leaked in any way.
This is even more important when data privacy is seemingly secondary, as many might point out about 314(b) requests. The information passed back and forth under 314(b) typically isn’t protected in any special way. Yet, there is a significant personal liability associated with it, and even corporate liability if leaked. As a case in point, we’ve already seen reputational and financial impacts for firms named in the recent Financial Crimes Enforcement Network (FinCEN) leaks.
Fighting against financial crime and maintaining data privacy is sometimes a difficult balancing act. Still, it’s one we all have to maintain and make sure that we work within those guidelines – and that’s where privacy-enhancing technologies promise to help.
J.E.: How is homomorphic encryption used today in financial crime and compliance?
A.K.: There are numerous use cases, although one specific type of collaboration model is gaining the most steam right now: privacy-protected, secure querying. With this capability, different financial institutions can build a query — like, “What is the source of funds for this account?” or “Are there known connections between these two accounts?” — encrypt that query, and send it out to other institutions. The receiving institutions can then automatically send an encrypted answer – both without knowing who the entity in the query was (e.g., which accounts were being asked about), and what answer they provided. This novel capability enables inter-institutional collaboration that regulators have been calling for years and translates into several high-value applications:
KYC: Querying other financial institutions about the new entities you want to onboard. This translates to faster onboarding, a better customer experience, better decisions – helping keep the bad guys out and getting more good guys in, including the underbanked.
- Alert triaging and risk rating: Querying other financial institutions or jurisdictions to “fill in the blanks” on missing or incomplete information before running your models. This helps drive down the false positive rate and ensures you’re getting high-value alerts out of your system.
- Investigations: Querying other financial institutions to validate false positives and overcome dead-ends in investigations and significantly quicken your work pace. With today’s technology, investigators can answer their essential questions in seconds, whereas current information exchange processes under 314(b) may take months.
- Model tuning and other feedback loops: Querying internally across borders to understand which alerts are productive to help tune models while ensuring cross-border data privacy and data residency rules are kept intact.
There are several other exciting use cases outside of financial crime, including cross-border data analysis, leveraging third-party analytics, and even monetizing data and insights while preserving privacy, trust, and regulatory compliance.
J.E.: What do the regulators have to say about homomorphic encryption?
A.K.: Regulators in the United States, Europe, and Asia have come out supporting more information sharing. They have sponsored Tech Sprints and sandboxes focused on collaboration throughout the financial crime lifecycle and have made some pretty forceful statements on the importance of rapid, meaningful, and comprehensive information sharing.
We have also seen support for PETs and homomorphic encryption specifically. Homomorphic encryption is used today by some regulators and industry bodies. For example, the Fintel Alliance, led by Austrac, leverages homomorphic encryption to share information between its members for AML investigations. The Cyber Defence Alliance, a bank and law enforcement consortium focused on fraud and cybercrime in the U.K., is also piloting this technology for cross-institution collaboration on investigations. We also see a lot of interest in this technology and positive feedback from North American regulators. For example, facilitating better information sharing is one of FinCEN’s critical areas of focus in their latest proposed rules for enhancing the effectiveness of AML programs.
Notably, privacy regulators have also expressed support for these technologies. For example, the AEPD (the Spanish privacy regulator) recently opined that homomorphic encryption helps enable compliance with the principle of Privacy by Default. The IPC (in Ontario, Canada) has expressed interest and support in it as well. To make a long story short, we see positive sentiment from all types of regulators across geographies.
We’ve also heard about the value of this technology from our clients who are spearheading this technology for inter-institution information sharing in the world of AML, fraud, and cybercrimes. They reported a significant improvement in understanding client activities and, therefore, better detect, prevent, and investigate these crimes.
J.E.: What does the future hold for homomorphic encryption?
A.K.: As a technology that can protect data in use, homomorphic encryption sees increased demand in a range of regulated industries like financial services, healthcare, the public sector, and more to collaborate privately and securely. In financial crime, mainly, there are a number of firms and consortia utilizing this technology already, and that is only sure to grow, given that the industry increasingly understands the need and value of info sharing.
In terms of adoption rates, the industry needs to build a deeper understanding of the technology and its use cases. This also includes stakeholders like regulators – who, as we discussed, are already calling for more information sharing. With this in mind, financial institutions that want to evaluate homomorphic encryption might be well advised to use open-source technologies developed and vetted by an active community (to ensure it meets their security and privacy needs), are compliant with existing standards (to ensure interoperability) and are flexible enough to meet the requirements for a variety of applications (so it can be extended to various functions and operations within the firm). One example of this is PALISADE, which is the homomorphic encryption library we use at Duality.
In parallel to the industry building their knowledge base, the technology will continue to develop rapidly. For example, the technology is moving towards enabling higher-level functionality like image processing and model development using encrypted data. In the United States, the Defense Advanced Research Projects Agency (DARPA) and the Department of Defence (DoD) are investing heavily in this, which is always an indicator of the latest and greatest on the horizon.
Finally, performance and scalability will keep improving. When homomorphic encryption was first implemented, the most straightforward operation took 30 minutes to run. By 2013, it was possible to use homomorphic encryption for encrypted voice over I.P. calls. It’s now possible to perform operations on very large data sets with sensitive information in them, like analyzing genomic data in a matter of seconds. The future promises to maintain this pace of improvement and bring homomorphic encryption’s performance to parity with unencrypted computations – which means homomorphic encryption will continue to drive value across more and more functions in the enterprise.
The above is an excerpt from my conversation with Alon Kaufman. For more information about homomorphic encryption and its application to fighting financial crime, please message me to learn more or join the conversation by commenting below.
This post was originally published on blogs.oracle.com