Financial services institutions and banks around the globe face monumental challenges as they look to streamline service delivery for customer transactions, manage multi-party loan processes, collaborate on industry benchmarks and indices, and eliminate fraud and cybercrime. Historically the market has primarily relied upon manual approaches for sharing and managing transaction data. But advances in confidential computing (sometimes called CC or trusted computing), combined with federated machine learning (FML), are helping financial organizations better share data and outcomes, while alleviating many privacy and security concerns.
Before we look at some real-world use cases of how CC and FML are helping to improve security and privacy in financial services, let’s first quickly review what these technologies are. CC uses hardware memory protection (usually in a CPU) to help isolate data payloads. This represents a fundamental shift in how computation is done at the hardware level and changes how vendors can structure the application programs. It enables encrypted data to be processed in memory while decreasing the risk of exposure to the rest of the system. This reduces the potential for sensitive data to be exposed, while providing a higher degree of control and transparency for users. CC’s secret sauce relies on Trusted Execution Environments (TEEs) in the firmware (also referred to as enclaves) and can enable collaboration between a variety of parties including hardware and software vendors, cloud providers, developers, open source experts, academics and more. A good example of this sort of collaboration is the Confidential Computing Consortium.
FML, which was first introduced by Google researchers about four years ago, offers tremendous advantages when it comes to privately and securely enabling model training (using machine learning) against large pools of data from multiple entities. Rather than requiring all participating organizations to move their data sets to a centralized compute environment for aggregation, FML moves processing onsite at each individual organization’s location. Only the query results are delivered back to the core compute environment where a collective model is then updated. This decentralized method alleviates many common privacy concerns associated with data collaboration.
How do these two technologies (CC and FML) work together? Think of CC as helping to facilitate the secure connections and isolation of sensitive data. You essentially create a network of organizations (which can be done with blockchain or not), each with their own node (usually a server) that utilize TEEs in the microprocessor to more securely communicate with each other or to a centralized node. These nodes can also run software programs in the TEEs. This is where FML comes in. Each node runs a ML model (or application), then updates the outcome to a centralized node that then updates all parties. The compute function is essentially run off chain using the same model by all parties, then pushed out and updated to the master model. Not only does this dramatically speed information sharing, but it does so more securely while meeting compliance standards and guidelines.
The ability to collaborate with other organizations on large-scale initiatives and projects, without disclosing sensitive data, makes this approach attractive in financial services and banking (not to mention other areas like healthcare, supply chain, etc.). Let’s look at several real-world use cases.
It’s no secret that financial institutions and banks struggle to mitigate digital theft, fraud and money laundering activities. Criminals have a knack for hiding their financial histories by distributing transactions across a number of institutions. To help combat this problem, there are mandated Know Your Customer (KYC) guidelines that are designed to reduce fraud. However, these processes are typically resource intensive and manual in nature.
In addition to KYC, most organizations also layer on additional software models (many now employing machine learning) that look for suspicious patterns in customer activities. It’s also standard to have transaction rules that help raise red flags for suspicious activity (for example if a transaction is over $1,000). Unfortunately, the false positive rate associated with these two approaches is high (and every bank uses a different model). These problems are compounded by the fact that financial service organizations do not typically share data with other institutions or competitors, and even if they did, the varying approaches in modeling would present additional roadblocks to collaboration.
To help financial institutions collaborate on anti-money laundering efforts – while meeting compliance guidelines – many are starting to turn to CC and FML. Here’s how it works. A group of 50 financial service organizations or banks decide to partner and create a governance network (again, they may or may not decide to use blockchain here), where they can share transactional data. This network requires each party to have a node (or server) running CPUs with TEE technology (one framework being used to accomplish this today is Hyperledger Avalon). All parties agree on an application model when processing customers data, which is run off chain in the TEE or enclave of the CPU on the node. A centralized node is then used for all parties to upload the outcomes of a request into another TEE (encrypted). This process does not reveal any specific customer data; it typically just provides a risk-based assessment. CC and FML allows organizations to identify high-risk individuals without sharing complete transaction history data.
General financial approvals, rate calculations, credit scores and more
CC and FML approaches are also being applied to a variety of other use cases in financial services. For example, banks and credit card companies are creating partnership networks and using this technology to help validate legitimate customers. They’re able to gather a more complete picture of a customer’s financial health before extending credit or loans, while reducing the risk of exposing customer data to a competitor.
Organizations are also creating networks to streamline market rate calculations for loans. Those in the network can more securely share rates they use for loans through the TEEs and let the application run calculations off chain, then update the centralized node, where the master model runs a final rate calculation. This approach can eliminate the need for intermediaries (such as the Libor Index), or more likely, will be adopted by intermediaries to streamline calculations and reduce costs (while still giving banks a source of accountability).
Financial institutions also face challenges today when calculating an accurate credit score using transaction history, without giving away competitive information that could allow another card company to steal customers. With CC and FML, banks can privately share transaction and account information to help inform a credit score recommendation off chain in the TEE, then upload to master model or applications. This gives all in network a more accurate picture of a customers’ credit health.
This approach to understanding the level of risk associated with an individual can also be applied to loan fulfillment with larger global corporations. Large loans are often distributed across many banks (managed by one bank, fulfilled by a network of banks for example). Determining if fulfillment is a good investment requires understanding loan obligations to other banks globally. This generally requires the highly manual process of calling and validating with other banks (or using an intermediary that manages the process). But with CC and FML, organizations can evaluate how much debt has been issued, if there is successful payment, if the covenants of the loan are being honored, and more. This allows other organizations to better evaluate risk when deciding to issue more capital.
While still in the early days of adoption, it’s exciting to see financial services institutions exploring these types of CC and FML use cases. Not only are organizations using the technology as it relates to blockchain networks, but also in ad hoc networks (or more trusted partnerships). If you’re interested in keeping an eye on this space and latest developments, you can find great information on Intel’s confidential computing site or at the Linux Foundation.