Homomorphic Encryption — the next big step in data privacy for traditional banks
Homomorphic Encryption — The Need of the hour
The Model of Open Banking
In the ongoing era of rapid digitalization, it has become both convenient and necessary for banking consumers to share data with service providers in order to receive better customer experience and customized financial solutions tailored to their specific needs and aspirations. This emerging trend of consumers providing consensual access of their financial data from their primary financial provider/banks to third-party companies in exchange for tailor-made financial solutions is referred to as “open banking” in the BFSI domain. Emergent Fin-tech companies enter this new banking paradigm as the third-party companies mentioned above with whom the primary financial institutions partner with and share customer data to perform the required analytics leveraging AI/ML/DL capabilities with the outcome of providing personalized products and services for their customers. Since consent is a crucial component of open banking, it is believed that the open banking phenomenon is empowering the financial consumers by enhancing their control over the use of data by banks and their digital partners. The gamut of data that is being exchanged here involves not only the basic identity data fields that we are familiar with through e-KYC such as name, age, gender, and address but also transaction data and bank statement, tax data, pension data, securities data, and insurance data. Such a banking model (see Figure 1 below) helps primary financial institutions become more customer-centric in an industry that is undergoing a transformational shift in the way business is conducted due to technology disruptions, entry of tech players and changing consumer preferences especially among Gen-Z & millennials.
Cause for Concern for Traditional Banks
Nonetheless, a cause of concern arises when you analyze the interaction that is going on in this new open banking system. In this paradigm, third party companies have access to consumer data from multiple banks who tie-up with them not due to sudden found entrepreneurial spirit but due to a lack of alternative options in an industry that is becoming increasingly harder for them to provide aggregate products & services. This exchange of data is facilitated by API (Application Programming Interfaces) that banks build for the purpose of sharing information from their website and databases to that of the third-party companies. Once the information is exchanged, typically banks have a limited role in further analytics and processing done by the fin-tech partner. Moreover, the fin-tech companies can aggregate data of consumers from multiple financial institutions and are better able to predict their needs more accurately and produce products that are more appealing to them. In an age that places convenience and personalization above brand loyalty & familiarity, whoever controls the data eventually controls the market. Eventually, banks who are traditionally aggregate core banking service providers, become incapable of providing customization to the extent that fin-tech companies can and will be cut out from a crucial value creation process in an industry value chain which is already being dis-aggregated. This puts the banks at a strategic disadvantage compared to fin-tech players.
This is where Homomorphic Encryption solutions could step in and save the day for traditional banks.
Homomorphic Encryption (HE from hereon) is an emerging, transformative, Privacy Enhancing Technology (PET) that can re-design data security in the BFSI sector. It is a set of complex algorithms that can enable data-processing without decryption of the shared data. With the PET market size estimated at USD 1.68 billion in 2021 and expected to grow at a staggering CAGR of 40.8% to USD 25.85 billion by 2029, the data privacy market should be catching its fair share of attention & wallet share from global banks recently.
The key drivers of HE in the BFSI market
Furthermore, Gartner has identified privacy-enhancing computation (of which Homomorphic Encryption falls into) as one of the 2021 Top Strategic Tech Trends, predicting that “By 2025, half of large organizations will implement privacy-enhancing computation for processing data in untrusted environments and multiparty data analytics use cases”. If that’s the case, let’s jump into what are the key factors driving commercialization of this technology.
Open Banking — The need to protect banks from a strategic disadvantage while interacting with third party fin-tech players while partnering to execute multi-party computation and provide better customer service is one of the primary drivers for commercialization of HE in the BFSI domain.
Rising Regulatory Standards — The global regulatory environment is evolving to meet and, in some regions, define the customer standards for data security. Increasing calls for data localization and extended producer responsibilities in data management have put the primary financial providers at the forefront of data security responsibilities in BFSI sector. More recently, there is an increasing focus towards protecting data while data pooling, sharing and cross-entity analytics along with the long-standing concerns regarding security during data storage.
Influx of more private customer data into banking system — Recently, the Covid-19 push has brought in more sensitive data such as healthcare data, insurance data and other such sensitive data into the gambit of banks and this phenomenon raises the need for higher standards of security for banking customers.
Impact of HE in open banking paradigm
Fully Homomorphic Encryption can support even arbitrary mathematical operations and is poised to have a significant business impact in BFSI sector. However, as of now, Fully Homomorphic Solutions are not commercially available. Meanwhile, some versions of Partial HE are available in the market, and they support limited use cases with comparatively lower performance impact than FHE.
When fully developed and commercialized, HE can bring around unseen changes in data privacy standards in BFSI.
Partnership Management — Using HE, Banks can transfer sensitive customer data to fin-tech companies in crypted form, blocking out the data fields that are not relevant to the registered task and ask them to process it for performing analytics which can further aid the banks to enhance their customer-centric offerings without over-sharing data for the sake of collaboration. Since HE enables processing without decryption, banks can now engage with fin-tech companies without losing their strategic advantage of being the main custodian of customer data.
Competitor/Regulatory Compliance Collaboration — HE can enable encrypted data sharing (such as transaction data, sharing AML: Anti Money Laundering data) between peer banks and with regulatory authorities without giving up customer privacy.
Customer Privacy — HE empowers customers even more in the era of open banking by enabling their customized demands during data sharing to be now accommodated by primary banks which can further enhance brand loyalty towards primary banks by increasing the customer convenience.
Customer Screening — HE can enable banks to encrypt a query carrying sensitive customer data within the privacy jurisdictions and run the encrypted query globally while ensuring that the content of the interaction and its results are never exposed. This could happen within seconds, as the encrypted data moves around the globe on a standard cloud platform infrastructure, and the bank is left with a more accurate picture of the individuals they are attempting to evaluate.
Anti-Theft and Anti Cyber Attack Protection — Data is most vulnerable during data sharing and data processing stages than any other stages of data handling. This is mainly because it is in decrypted form during these stages and therefore becomes more vulnerable to malware attacks, data theft and even shoulder surfing. Encrypted Data Transfer and Data Processing — as enabled by HE will ensure that safeguards are in place against such attacks and thefts and even if they get stolen, encryption will provide additional layers of protection with data being encrypted & unreadable than the naked data which is typically more vulnerable to attacks from vulnerable actors.
Key bottlenecks to the deployment of HE
Added complexity in operations — The use of HE in data processing is expected to save higher complexity in operations leading to reduced speed of data handling. Additionally, this will require highly specialized personnel which is currently deficient in the Indian labour market.
Solution — Adoption of any new technological infrastructure comes with the challenge that it will disrupt current modus operandi. But once the new infra is integrated into the current banking architecture, it will always make the system more efficient, effective, fast, and secure. This is true for any disruption such as Cloud Banking, AI/ML, API, Big Data Analytics and so on which are now explored by most banks at least through partnerships with fin-tech. During the initial phase of inception, it will lead to complexity in implementation, partnership, and re-training IT architecture & staff. But, as we move ahead, HE will be able to create higher value for both banks and customers with better data security and act as one of the key Unique Value Proposition for the bank adopting it. Also, it is more expensive and non-strategic for banks to maintain the ageing workforce who are trained in legacy systems and are familiar with the current architecture when the customers are expecting banks to provide them with convenience that top-of-the curve tech companies are offering them.
Theoretical complexity — Since Fully Homomorphic Encryption is not a Turing-complete framework it is limited to operations based on addition and multiplication (and their inverses). While still useful, some scenarios will never be a good fit for Torus Homomorphic Encryption (Solution-)but could be addressed using an alternative technology: confidential computing.
Steps for financial institutions to adopt and leverage HE technology
(1) Opportunity Exploration — Create a list of use cases where HE can be applied for the bank’s current strategy and mode of operation.
(2) Financial Commitment — Gear up investment into HE R&D by funding research and scientists working on the same to make the solution customized for the bank’s strategy. Treat potential HE projects as experiments since the technology is still in its early stages. Consider these experiments as proof of concept until the technology matures.
(3) Partnership Management — Communicate with fin-tech partners about your intent to deploy HE when it becomes commercially available with a tentative timeline in order to maintain transparency and expectation setting. This allows the interested partners to calibrate their analytical skills to suit encrypted data processing.
(4) Current Security Reinforcement — Continue to invest in existing security protocols such as access controls, data residency requirements and protecting decrypted text while in-memory since FHE/PHE are not replacements but advanced enhancements to the current security architecture.
(5) Field Testing — Try piloting HE through a vendor solution instead of custom solution in order to field test it without taking on too much investment. Possible examples of vendors could be IBM, Duality Technologies, Enviel, Inpher, Duality Technologies.
(6) Adoption & Integration — Chart a strategy for adoption of HE into current IT architecture with technical and strategy leads of the bank.
Recently, prominent Brazilian Financial Institution, Banco Bradesco had collaborated with IBM Research in using machine learning algorithms to process encrypted data (HE). In a pilot project they conducted between January and July 2019, the goal was to look at an account holder’s banking activity over a period and through machine learning, predict with good accuracy whether that account holder would need a loan within the following three months. The first step was to use HE to encrypt transaction data, and ML-based prediction model. In the end, they re-trained the model with new encrypted transaction data once a desirable degree of accuracy was reached.
Way Forward
Conclusively, at a time and place when the “traditional banks” are being driven either by regulation or by evolving customer preferences to share data with third party companies, it is the need of the hour for banks to invest in developing and deploying HE solutions into their IT architecture. With IT expenditure ranging between 4.4 and 11.4% of total revenue for 25th and 75th percentile in a Statista Research (2022), it stands to reason that a portion of this spend be rationed for HE technology as well. Once commercialized, the strategic advantage of superior data governance standard and added value proposition to customer will make the investment worthwhile for banks across the globe.
Therefore, it is pertinent that banks take a proactive stance by investing into HE and deploy PHE/FHE solutions to ensure control over data, because in an age that places convenience and personalization above brand loyalty & familiarity, whoever controls the data eventually controls the market.
(Disclaimer: The author is a Business Consulting Intern in the Banking, Financial Services, and Insurance domain at Tata Consultancy Services Ltd.)
REFERENCES
(1) Gartner Hype Cycle for Digital Banking Transformation (Alistair Newton, 2021)
(2) Practical Homomorphic Encryption: Three Business Use Cases, Ellison Annie Williams, Forbes Aug 10, 2020
(4) Hybrid Homomorphic Encryption Method for Protecting the Privacy of Banking Data in the Cloud; Maha Tebaa , Karim Zkik and Said El Hajji; University of Mohammed-V, Faculty of Sciences — Rabat, Morocco, Laboratory of Mathematics, Computing and Applications
(5) Homomorphic Encryption Application on Financial Cloud Framework; Hsin-Tsung Peng , William W.Y. Hsu, Jan-Ming Ho, and Min-Ruey Yu;
