Data, and how it’s shared and managed, is a paramount issue for every bank and financial services institution. These organizations have historically relied primarily on manual approaches for sharing and managing transaction data, and face monumental challenges as they look to streamline service delivery for customer transactions, manage multi-party loan processes, collaborate on industry benchmarks and indices, and eliminate fraud and cybercrime.
But advances in confidential computing (sometimes called CC or trusted computing), combined with federated machine learning (FML), are helping financial organizations better share data and outcomes while alleviating many privacy and security concerns.
Here Mike Reed, Director of the Blockchain Program Office, Intel, offers his guidance on how chip technology makes data sharing safer in financial services. As well as managing the blockchain program within Intel Architecture, Graphics, and Software group, Mike also works with open-source software consortiums like the Linux Foundation’s Hyperledger project and the Enterprise Ethereum Alliance to help accelerate blockchain adoption
The first thing to do before we look at some real-world use cases of how CC and FML are helping to improve security and privacy in financial services is to first quickly review what these technologies are.
Confidential Computing (CC)
CC uses hardware memory protection (usually in a CPU) to help isolate data payloads. This represents a fundamental shift in how computation is done at the hardware level and changes how vendors can structure the application programs. It enables encrypted data to be processed in memory while decreasing the risk of exposure to the rest of the system. This reduces the potential for sensitive data to be exposed while providing a higher degree of control and transparency for users. CC’s secret sauce relies on Trusted Execution Environments (TEEs) in the firmware (also referred to as enclaves) and can enable collaboration between a variety of parties including hardware and software vendors, cloud providers, developers, open-source experts, academics and more. A good example of this sort of collaboration is the Confidential Computing Consortium.
Federated Machine Learning (FML)
FML, which was first introduced by Google researchers about four years ago, offers tremendous advantages when it comes to privately and securely enabling model training (using machine learning) against large pools of data from multiple entities. Rather than requiring all participating organizations to move their data sets to a centralized compute environment for aggregation, FML moves processing onsite at each individual organization’s location. Only the query results are delivered back to the core compute environment where a collective model is then updated. This decentralized method alleviates many common privacy concerns associated with data collaboration.
How do these two technologies (CC and FML) work together?
Think of CC as helping to facilitate the secure connections and isolation of sensitive data. You essentially create a network of organizations (which can be done with blockchain or not), each with their own node (usually a server) that utilize TEEs in the microprocessor to more securely communicate with each other or to a centralized node. These nodes can also run software programs in the TEEs. This is where FML comes in. Each node runs an ML model (or application), then updates the outcome to a centralized node that then updates all parties. The compute function is essentially run off-chain using the same model by all parties, then pushed out and updated to the master model. Not only does this dramatically speed information sharing, but it does so more securely while meeting compliance standards and guidelines.
The ability to collaborate with other organizations on large scale initiatives and projects, without disclosing sensitive data, makes this approach attractive in financial services and banking (not to mention other areas like healthcare, supply chain, etc.). Let’s look at several real-world use cases.
It’s no secret that financial institutions and banks struggle to mitigate digital theft, fraud and money laundering activities. Criminals have a knack for hiding their financial histories by distributing transactions across a number of institutions. To help combat this problem, there are mandated Know Your Customer (KYC) guidelines that are designed to reduce fraud. However, these processes are typically resourced intensive and manual in nature.
In addition to KYC, most organizations also layer on additional software models (many now employing machine learning) that look for suspicious patterns in customer activities. It’s also standard to have transaction rules that help raise red flags for suspicious activity (for example if a transaction is over $1,000). Unfortunately, the false positive rate associated with these two approaches is high (and every bank uses a different model). These problems are compounded by the fact that financial service organizations do not typically share data with other institutions or competitors, and even if they did, the varying approaches in modelling would present additional roadblocks to collaboration.
To help financial institutions collaborate on anti-money laundering efforts – while meeting compliance guidelines – many are starting to turn to CC and FML. Here’s how it works. A group of 50 financial service organizations or banks decide to partner and create a governance network (again, they may or may not decide to use blockchain here), where they can share transactional data. This network requires each party to have a node (or server) running CPUs with TEE technology (one framework being used to accomplish this today is Hyperledger Avalon). All parties agree on an application model when processing customers data, which is run off-chain in the TEE or enclave of the CPU on the node. A centralized node is then used for all parties to upload the outcomes of a request into another TEE (encrypted). This process does not reveal any specific customer data; it typically just provides a risk-based assessment. CC and FML allow organizations to identify high-risk individuals without sharing complete transaction history data.
General Financial Approvals, Rate Calculations, Credit Scores and More
CC and FML approaches are also being applied to a variety of other use cases in financial services. For example, banks and credit card companies are creating partnership networks and using this technology to help validate legitimate customers. They’re able to gather a more complete picture of a customer’s financial health before extending credit or loans while reducing the risk of exposing customer data to a competitor.
Organizations are also creating networks to streamline market rate calculations for loans. Those in the network can more securely share rates they use for loans through the TEEs and let the application run calculations off-chain, then update the centralized node, where the master model runs a final rate calculation. This approach can eliminate the need for intermediaries (such as the Libor Index), or more likely, will be adopted by intermediaries to streamline calculations and reduce costs (while still giving banks a source of accountability).
Financial institutions also face challenges today when calculating an accurate credit score using transaction history, without giving away competitive information that could allow another card company to steal customers. With CC and FML, banks can privately share transaction and account information to help inform a credit score recommendation off-chain in the TEE, then upload to master model or applications. This gives all in-network a more accurate picture of a customers’ credit health.
This approach to understanding the level of risk associated with an individual can also be applied to loan fulfilment with larger global corporations. Large loans are often distributed across many banks (managed by one bank, fulfilled by a network of banks for example). Determining if fulfilment is a good investment requires understanding loan obligations to other banks globally. This generally requires the highly manual process of calling and validating with other banks (or using an intermediary that manages the process). But with CC and FML, organizations can evaluate how much debt has been issued, if there is a successful payment, if the covenants of the loan are being honoured, and more. This allows other organizations to better evaluate risk when deciding to issue more capital.
It’s exciting to see financial services institutions exploring these types of CC and FML use cases – even if adoption is in its infancy. Not only are organizations using the technology as it relates to blockchain networks, but also in ad hoc networks (or more trusted partnerships).