Privacy for open banking banner image

Privacy Enables the Adoption of Open Banking

by

In this blog, we provide a more detailed exposé on the problems facing data-rich banks that are unable to leverage third party data due to regulatory and privacy concerns. It also includes more details about how TripleBlind’s solution works and unlocks new opportunities for banks and financial institutions.

The Current Problem

As countries advance towards Open Banking, or Consumer-Directed Finance, the data economy is simultaneously becoming increasingly regulated, making data privacy compliance a moving target. Strict laws and steep penalties for infractions create headaches for all parties involved in data transactions, while presenting a major hurdle in the transition to Open Banking.

Open Banking is about allowing the consumer to control where their data goes and how it is used by third party financial services (TPPs) providers to develop new products and services, opening up transparency of financial product options and encouraging collaboration between banks and financial technology firms. 

Developing the application programming interfaces (APIs) to make bank data available to consumers, financial institutions, and third-party service providers all in one place while controlled by the consumer, is just one piece of the puzzle. For Open Banking to work, data transactions must be completely private and authorized on a per-use basis.

Banks and financial institutions are hesitant to provide data even to their own partners because the risk of abuse is too high. Even with data owners (the bank or fintech) being equipped with state of the art technology, they do not have the technological means to restrict the usage of the data to legitimate uses only.

Why are Banks Reluctant to Share Data?

banks sharing financial data current state diagram

The bank sends the partner encrypted data so that nefarious hackers can’t snoop on the data while it’s in transit, but to do anything useful with the data, the partner institution has to decrypt it. This decryption generates a duplicate copy of the data in the raw, in the hands of the partner, which is subject to several vulnerabilities for both sides.

For the recipients/users of the data (the partners of the bank or financial institutions):

  1. Since they’re generating a copy of the data in the raw after decryption, a very stringent IT security solution has to be in place. This is quite expensive to put together. 
  2. Just having the IT security solution is not enough – certifications are also needed from third parties that the data is being handled correctly. This often costs thousands of dollars as well.
  3. Involved parties need to be compliant with all the laws and regulations that come with the data. This means that more costs will be attributed to attorneys and compliance experts.
  4. Strong stringent governance operations will also be required to ensure that it’s safe from their own employees inadvertently seeing data they’re not allowed to and abusing it.
  5. Parties may need the data just for a particular transaction, but there’s no guarantee that the recipient will delete it after it’s been used. This leaves stray data from previous uses in the recipient’s possession and stray data has been hacked in several situations in the past, including Capital One. This leads to a lot of liability issues. 
  6. Sometimes parties have to convince the sender/owner of the data that it’s not going to be abused since they’ll have decrypted data. This requires a lot of trust on both sides – which is risky to do with sensitive, regulated data.

For the senders/owners of the data (the banks or financial institutions):

  1. The default position on any data request is “no.” There’s a lot of business that isn’t happening today because no one believes data can be safely transacted. 
  2. If they choose to do business, they’ll still face big issues:
  1. Parties don’t want to just take their partner’s word that they won’t do evil. It needs to be enforced that they aren’t able to do any evil. 
  2. It’s a big headline risk. By being the victim of a data breach, reputation and trust is shattered. 
  3. There’s financial risk especially with a data breach. The partner will come with huge fines from regulators. 
  4. The partner needs to uphold their commitments to compliance with the appropriate laws and regulations, data security, and the terms of the contract. This is impossible with today’s state of the art technology, and often relies on good faith adherence to the terms of the contract.
  5. No one wants a partner that is a liability, even if the partnership is severed, the private data the partner has received in the past still holds a lot of risk.
  6. Everyone wants to avoid being the bad actor in the receiving institution, but one bad employee is all it takes. Relying on operational procedures and good-faith enforcement is not enough.

Open Banking involves providing data not only to trusted partners, but also to other fintechs and banks that may even be competitors. Because Open Banking involves sharing data with more parties, it poses additional danger to the financial data privacy of consumers, who are already wary of sharing their financial information with anyone other than their bank.

Current Workarounds

  1. Anonymized data is a common workaround to ensure that re-identification of individual customers is impossible to strip away all personally identifiable information from the dataset. The problem with this approach is that the anonymization has to be done manually, and strips away valuable information that can be useful for analysis. This manual process involves several data scientists manually cleaning, masking and hashing every attribute in every table, and can take months for just one dataset. Also, compliance is difficult – it’s been shown that even after manual anonymization, re-identification is still possible.
  2. Synthetic data involves creating a derivative dataset that does not contain any of the real data. However, this involves introducing statistical bias and noise into the dataset, and doesn’t really allow all of the real information to be extracted from the dataset. For example, outliers are often the most interesting from an analytics standpoint, and synthetic datasets can’t accommodate this.

The Solution

TripleBlind provides a Virtual Clean Room where the data can safely be used by the partners without ever exposing it to any of the risks that come with handling raw data. Powered by novel breakthroughs in advanced cryptography and mathematics, TripleBlind ensures that the financial institutions can safely work together with their partners.

TripleBlind Eliminates Decryption

TripleBlind clean room solution diagram

TripleBlind’s Virtual Clean Room ensures that all legitimate operations on the data can be performed safely, while at the same time guaranteeing that no unauthorized operations can be performed on the data. No raw data may ever be taken out of the Virtual Clean Room. The data owner decides what operations are legitimate, and the clean room maintains an audit log of how the receiver used it every time. This Virtual Clean Room only exists for the duration of the usage of the data and vanishes after the transaction, and the real data never leaves the sender’s systems.

TripleBlind reduces the risks on both sides – banks never provide raw data, and yet, there’s no restriction around the legitimate use of the data by partners. The partners can use the data as they usually do without needing to take on the risk of working with the bank’s raw data. The real data is available to be used for the transaction, without requiring anonymization or tokenization.

For the partners, this is beneficial in several ways:

  1. Better service offering because the partners can get access to any data they need, thus building better products and services.
  2. Low liability since the partners never have raw data. They don’t present as a liability to the banks because the banks provide data in a way that only the previously agreed upon operation can be performed on it. So neither party is liable to a data abuse risk.
  3. There’s no restriction on legitimate use. TripleBlind’s novel encryption doesn’t place any restrictions on what can be done to the data with the permission of the data owner. All operations that are normally done on raw data are able to be performed on the encrypted data.
  4. Lower IT security costs  since the receiver doesn’t have to buy expensive IT security tools or go through pricey certifications processes.
  5. More accurate algorithms because they can now access more granular and more diverse data sources. Their algorithms can get more accurate and generalize better to new scenarios.

For the banks, this means:

  1. They can work with more partners to monetize their latent data assets, driving revenue straight to the bottom line.
  2. They don’t take on any additional risk in doing so.
  3. They don’t have to spin up a new data science team to spend months manually anonymizing a single dataset.
  4. They don’t have to go through the compliance, risk and review processes every time they choose to work with a partner.

For the consumer, this means:

  1. They can share their financial data however they want without risk of their data being leaked, stolen, or used for unauthorized purposes.
  2. They can benefit from better financial product and service offerings, catered to their financial needs.

Pricing

Our pricing varies so it’s best to reach out to us to receive a quote. But if you’re still not convinced by our technology, set up a demo and I’m sure we’ll change your mind. Fill out our contact form here.