How can banks collaborate to stop crime without compromising security? Ellison Anne Williams, the Founder and CEO of Enveil, talks about using homomorphic encryption to help banks beat money-laundering.
Analysing data is the backbone of the digital economy. But holding data in silos doesn’t make analysis easy.
That’s one reason why banks are increasingly moving their core technology onto the cloud. Cloud-hosting offers flexibility and lots of new applications – among them ways to fight money-laundering.
But moving data off-premise and sharing it with third parties is a privacy risk. In particular, once data is decrypted to be used in analysis, it’s vulnerable. No one wants their data to be vulnerable.
The potential loss from privacy breaches is both reputational and financial.
GDPR regulations make firms liable for a fine of up to €20m, or 4% of annual global turnover – whichever is greater – if they compromise customer data. And no one trusts firms that cannot keep personal data secure.
AML and privacy requirements
Preventing privacy breaches is not, however, the only regulatory and reputational pressure banks face.
Money-laundering generates splashy headlines and financial regulators come down hard on firms that break anti-money laundering (AML) rules. To fight money-laundering, though, banks must share data. What to do?
“Banks want to be able to reach out to peer institutions for information,” says Ellison Anne Williams, Founder and CEO of Enveil.
“But the information given for functions like onboarding is very sensitive, so it can’t just be exposed to another organisation. Also, banks are competing for customers.”
Traditionally, firms have used a ‘perimeter of security’ approach. Selected data is placed in a secure environment where it can be decrypted, computed and re-encypted.
The problem, Williams points out, is that if the perimeter is breached “everything is available, free and clear”.
What is homomorphic encryption?
There is another way, Williams says.
“If that information is never decrypted, banks [sharing data] neither expose their customer base nor violate regulations.”
Enveil helps firms compute encrypted data by using ‘homomorphic encryption’ – the “holy grail” of data privacy, as Williams freely admits.
It means, according to a paper by IBM’s Craig Gentry, “a third party can perform complicated processing of data without being able to see it. Among other things, this helps make cloud computing compatible with privacy.”
Processing data without seeing it
But does homomorphic encryption work in practice? It has been a computing challenge for 40 years.
Frank Stajano is Head, Academic Centre of Excellence in Cyber Security Research, and Fellow at Trinity College, Cambridge.
He says, “Claims of major progress in homomorphic encryption have been made in the last decade, and there have certainly been substantial advances compared to the first purely theoretical papers.
“However, we are still at the point where only a small subset of practical problems are actually tractable.”
Williams says that Enveil has the “first-and-only commercial solution to ensure…full lifecycle security at scale”. And that it does work.
Enveil’s technology can multiply two encrypted values and it can add two encrypted values.
“How do you take multiplication and addition and turn that into encrypted searches…and encrypted machine-learning? That is absolutely non-trivial and it is our secret sauce,” says Williams.
“We are very transparent with people. We don’t want them to have to press the ‘I believe button’. We give them frameworks and tools to verify [the analysis] and we help them understand that we do what we say we do.”
Find out more about our new Level 3 Certificate in Retail and Digital Banking
See our Centre for Digital Banking and Finance