资源描述
White PaperThe Next Generation of Data-Sharing in Financial Services: Using Privacy Enhancing Techniques to Unlock New ValueSeptember 2019Prepared in collaboration with DeloitteWorld Economic Forum91-93 route de la CapiteCH-1223 Cologny/GenevaSwitzerlandTel.: +41 (0)22 869 1212Fax: +41 (0)22 786 2744Email: contactweforumweforum 2019 World Economic Forum. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including photocopying and recording, or by any information storage and retrieval system.This white paper has been published by the World Economic Forum as a contribution to a project, insight area or interaction. The findings, interpretations and conclusions expressed herein are a re-sult of a collaborative process facilitated and endorsed by the World Economic Forum, but whose results do not necessarily represent the views of the World Economic Forum, nor the entirety of its Members, Partners or other stakeholders.3The Next Generation of Data-Sharing in Financial Services: Using Privacy Enhancing Techniques to Unlock New ValueForewordIntroduction Chapter 1: Privacy in the financial sectorThe benefits of data-sharing The potential drawbacks of data-sharingChanging the dynamics of data-sharingChapter 2: Privacy enhancing techniques Technique #1: Differential privacy Technique #2: Federated analysis Technique #3: Homomorphic encryption Technique #4: Zero-knowledge proofs Technique #5: Secure multiparty computation Chapter 3: Applications in financial services Unlocking new value for financial institutionsUnlocking new value for customersUnlocking new value for regulatorsClosing commentsAppendix Benefits and limitations of techniques Further reading Acknowledgements Endnotes 456666891113151720202224252727303133Contents4 The Next Generation of Data-Sharing in Financial Services: Using Privacy Enhancing Techniques to Unlock New ValueForewordThe centrality of data to the transformations of the Fourth Industrial Revolution is today so self-evident as to have become a clich, and whether you believe data is the new oil, the new gold or even the new bacon, there is no doubt that its growing importance is shifting the priorities of the private sector. However, while many column inches have been dedicated to the competitive scramble to accumulate vast troves of data, less attention has been paid to the growing appetite of firms to unlock the power of data-sharing between institutions. Within the financial system specifically, we have seen a significant increase in the appetite for such collaborations across use cases ranging from improving fraud detection to enabling new forms of personal financial advice.Of course, sharing data is not without risks. The potential value of collaboration must be weighed against its implications on customer privacy, data security and control of competitively sensitive data. Historically, this balance between privacy and utility has created tensions and conflicting objectives in the financial services industry, where any value obtained through data-sharing often needed to be weighed against the potential increase in privacy risks. These tensions have seen many seemingly promising opportunities for data-sharing shelved long before they could be deployed.However, an emerging set of technologies called “privacy enhancing techniques” have the potential to fundamentally redefine the dynamics of data-sharing by eliminating or greatly reducing the risks historically associated with collaboration. As these technologies mature, they will demand a re-examination of a host of mothballed data-sharing projects and the exploration of previously unimaginable opportunities.Privacy enhancing techniques have the potential to unlock enormous value for the financial sector but they will do so only if senior executives and regulators have an awareness and working understanding of these mathematically and computationally complex techniques. The purpose of this paper is to provide an abstract and easy-to-grasp understanding of some of the most promising techniques emerging today and an illustration of how they might be deployed in the financial system. In doing so, we hope to support the emergence of a more collaborative financial environment where shared data can lead to shared benefits for financial institutions, customers and the broader financial system.Matthew Blake, Head of Future of Financial and Monetary Systems, World Economic ForumJesse McWaters, Financial Innovation Lead, World Economic ForumRob Galaski, Global Leader, Banking each institution holds a piece of the puzzle (i.e. data) when it comes to answering important questions such as “is this customer creditworthy?”, “are these traders colluding?”, or “is this transaction fraudulent?” However, with only their own data, financial institutions like the three blind men risk drawing the wrong conclusions. In the parable, sharing information is the key to unlocking the mystery of the elephant and building a complete picture of the pachyderm at hand. Unfortunately, this kind of data-sharing is not so easy for financial institutions. Unlike the blind men, they face many restrictions on how they store, manage and share data that, until recently, have made it impossible for them to build a comprehensive picture of their customers and operating environments.The value of the whole of data is greater than its component parts, but capturing this value is fraught with complexity and conflicting goals. For example, by sharing data, financial institutions would be able to better identify patterns that suggest transaction fraud, leading to fewer false positives in the detection of financial crime. However, they are wary of disclosing valuable competitive intelligence on their customer base, and of creating tensions with privacy regulations. It is important to note that it is not only financial institutions that stand to benefit: By sharing data, customers would be able to benefit from more personalized, specific and nuanced advice. However, they are wary of their data being misused, abused and shared without their consent.These examples highlight the tensions of sharing data; there is value to be derived from doing so, but it traditionally diminishes privacy (of the individuals whose data is being shared) and confidentiality (of the institutions supporting the data-sharing). Historically, great effort has been dedicated to navigating these conflicting objectives and operating the financial system in a way that institutions, customers, civil society and regulators are all amenable to. “Privacy enhancing techniques” allow institutions, customers and regulators to unlock the value in sharing financial data without compromising on the privacy and confidentiality of the “data owners” (i.e. customers) and “data stewards” (i.e. financial institutions). These techniques are not new, but significant developments in recent years have transformed them from research curiosities to production-ready techniques with the potential to alter the fundamental nature of data-sharing.This document is intended for use by executives at financial institutions across subsectors (e.g. insurance, banking, investment management); it provides a high-level overview of how these privacy enhancing techniques work, and the value they can unlock within financial institutions. In this White Paper, we will:Chapter 1: Take a closer look at the tensions surrounding privacy in the context of the financial sector Chapter 2: Understand how several privacy enhancing techniques workChapter 3: Demonstrate how they could be used to enable new types of data-sharingThis report include three chapters:Chapter 2: Privacy enhancing techniquesp. 8Chapter 3: Applications in financial servicesp. 20Chapter 1: Privacy in the financial sectorp. 66 The Next Generation of Data-Sharing in Financial Services: Using Privacy Enhancing Techniques to Unlock New ValueCustomersChapter 1: Privacy in the financial sectorCompeting objectives surrounding the use of data pull financial institutions in a variety of different directions when it comes to deciding how data is to be stored, managed and shared. These tensions have historically existed across three different domains: within institutions themselves, their regulators and their customers. allows new market participants to access the data and build new value propositions; ultimately, regulators believe this will lead to improved financial outcomes for citizens.4 For customers, sharing data allows them to receive specific benefits whether in the form of higher-quality products or more efficient services. For example, Lenddo provides customers with a higher-quality (i.e. potentially more accurate) credit score by analysing their social media data, telecom data and transaction data.5 Customers are increasingly aware of the value of their personal data and seek to share it (whether by directly providing an institution with more information or authorizing an institution to share their data with a third party on their behalf) only when the benefits received in exchange are meaningful.6 The potential drawbacks of data-sharingHowever, there are also several factors that inhibit the sharing of data in financial services. For financial institutions, any outbound data-sharing presents the risk of exposing competitive knowledge (e.g. the identities of customers and their characteristics) that could be misused by third parties. Furthermore, sharing data may run afoul of privacy regulations such as GDPR, or introduce complexities to the necessary processes (e.g. building out new mechanisms to ensure informed consent) that outweigh the potential benefits. And finally, with the increasing use of AI and other advanced analytical techniques, executives at large financial institutions have begun to worry about the “creep factor” knowing too much about a customer and alarming them.For regulators, protecting consumers financial and non-financial confidentiality is a critical responsibility, and limiting the sharing of data has historically been the instrument to achieve this.7 For example, the Gramm-Leach-Bliley Act of 1999 in the United States requires financial institutions to communicate how their customers sensitive data is being shared, allow them to opt out, and apply specific protections on what is shared.8In recent years, regulatory authorities around the world have also introduced new and more stringent customer privacy requirements. For example, GDPR in the EU The benefits of data-sharingFinancial institutions can benefit from three forms of data-sharing: Inbound data-sharing (acquiring data from third parties) Outbound data-sharing (sharing owned data with third parties) Collaborative data-sharing (inbound and outbound sharing of similar forms of data) Inbound data-sharing allows institutions to enrich their decision-making systems with additional information, leading to higher-quality outputs and more accurate operations. For example, trading firms can use third-party services such as Thomson Reuters MarketPsych Indices1to inform their buy/sell decisions with social media data, hypothetically leading to a more accurate understanding of market sentiment. Outbound data-sharing, on the other hand, allows institutions to draw on capabilities (and offer customer benefits) that they may not own internally. For example, Wealthsimple, a robo-adviser, allows its clients portfolio information to be pulled into Mint through a secure connection,2 so that customers can see their investment balances alongside their day-to-day spending and build a comprehensive understanding of their finances. Finally, collaborative data-sharing allows institutions to achieve a scale of data that they would not be able to reach on their own, unlocking a depth and breadth of insights that would otherwise not be possible. For example, six Nordic banks recently announced a collaboration to develop a shared know-your-customer (KYC) utility3 that will allow them to strengthen their financial-crime prevention systems.For regulators, data-sharing presents an opportunity to return control and ownership of financial data back into the hands of customers, ultimately leading to increased competition and innovation. This is seen in the Open Banking Standard in the UK, PSD2 more broadly in the EU, the Consumer Data Right in Australia, and other forms of Open API regulations in Singapore, Hong Kong and Japan. Each of these regulations, in some form, requires institutions to make the data they hold on their customers (e.g. transaction data) available to accredited third parties as requested by the customer. This Below, we explore the conflicting objectives (the benefits of data-sharing and its drawbacks) for each of these three domains.Insitutions Regulators7The Next Generation of Data-Sharing in Financial Services: Using Privacy Enhancing Techniques to Unlock New Valuerequires institutions to, among other things, provide customers with easier access to the personal data about them held by the institution. Other regulations prevent firms from sharing personally identifying information (PII) across country borders to protect national customer privacy, potentially preventing multinational institutions from analysing their own internal data throughout their organization. Such requirements make certain types of data-sharing impossible, or so expensive, complex and time-consuming that the business case for doing so is weakened.Finally, while customers seek additional benefits from sharing their data, they are also increasingly wary that their data could be misused by the firms that hold it: A survey conducted by Harris Poll shows that only 20% of US consumers “completely trust” the organizations they interact with to maintain the privacy of their data.9 This is no doubt exacerbated by several high-profile security and privacy breaches in 2018, including Cambridge Analytica,10 Capital One,11 Google+,12Aadhaar13 and others. Customers fear that their data could be used to harm them (e.g. through identity theft) and more broadly that unintended parties can learn something about them that they wish to keep private (e.g. sensitive purchase history).14 Changing the dynamics of data-sharingAs illustrated, privacy tensions exist for every stakeholder in the financial services sector, and navigating these tensions has historically left significant value in data-sharing uncapturable. However, emerging privacy enhancing techniques are enabling institutions, customers and regulators to share data in a way that helps to achieve a balance between competing opportunities and obligations, allowing for data-sharing that is compliant with regulatory principles, protects the privacy of customers and safeguards the confidentiality of institutions business processes. These techniques have the potential to expand the range of feasible data-sharing opportunities i
展开阅读全文