Banks looking to confidential computing for solutions to money laundering, theft, and fraud

Tech companies are offering this emerging technology to help financial institutions secure data while it is being processed.

Financial institutions and banks are struggling more than ever to mitigate digital theft, fraud, and money laundering activities. Almost all banks are subject to Know Your Customer regulations that are resource-intensive and manual in nature.

To address the problem, some tech companies are offering up confidential computing as a potential solution. Combined with federated machine learning, companies like Intel say confidential computing can predict who is money laundering within secure enclaves without revealing sensitive information.

“The traditional processes that banks and other financial institutions employ are a bit resource-intensive and often those processes are manual so they’ve innovated to add some software modeling in an attempt to draw inferences from patterns that they see in their transactions and in their operations to help inform a potential theft, fraud or money laundering,” said Michael Reed, director of the Blockchain Program at Intel.

“But even those have high false-positive rates which can be disruptive to their customer relationships and also just cost them more time and money in their operations. Confidential computing is a new tool that banks and other corporations are using to help address their own security challenges. It’s an emerging technology that helps secure data while it’s in use.”

Reed explained that many companies can encrypt data while it’s at rest, but it is far more difficult to secure it while it’s being processed.

Confidential computing uses an isolated portion of memory, often called a trusted execution environment or TEE, that reduces the potential for exposing sensitive data and also ensures that the right software program is running on the right machine and produces valid results.

This process helps enterprises using data in multiple locations like on-premises, in the cloud, and at the network edge. TEEs gives the enterprise IT manager comfort, transparency, and liability for the workload that’s running, Reed said.

“What confidential computing can do for any money laundering and banks is it can really turn it into a team sport. It allows companies to collaborate to get better results. The way they do that is they use a technique called federated learning or sometimes called federated machine learning,” Reed explained.

“It allows companies to collaborate without exposing their private data to each other, such as bank account details, to determine and draw inferences about money launderers. You need to know the transactions that they’ve traditionally made, perhaps at a competing bank. What federated learning can do is allow machine learning algorithms to understand those transactions without sharing those transactions themselves.”


Anticipate money laundering challenges

Reed added that this helps banks operate better in terms of anticipating any money laundering challenges in their Know Your Customer processes and reduces the false positives. It also allows banks to benefit from the inferences made off of alternative banks’ data without anyone actually having to see the data.

Federated learning turns the Know Your Customer process “into a team sport,” Reed noted, explaining that all of the participating companies in a network keep their data to themselves and the machine learning algorithms come to the data and run in a trusted execution environment. 

That means your encrypted data can load into that trusted execution environment. The machine learning algorithm can learn from that data and then report the aggregate machine learning algorithm with a collection of others across the network so that you come up with a master algorithm that’s really informed by the data sets of each participating bank,” Reed said.

“That master algorithm is of course distributed among those banks again and run in a trusted execution environment and the inferences drawn off that master algorithm are much smarter than the inferences that you can draw off of an algorithm that was trained off the data set of one bank alone.”

The emerging technology is being used by banks increasingly in other spheres beyond money laundering, particularly in places where collaboration can produce better results. Reed mentioned credit qualifications, market-rate calculations, credit scores, loan fulfillment, and more as areas where confidential computing would be useful. Some healthcare institutions are also using it.

To address privacy concerns, MobileCoin co-founder and general counsel Shane Glynn said they use confidential computing and Intel SGX to anonymize its customers’ financial data.

“Thanks to the Intel SGX technology, we can verify that the piece of code running on someone else’s computer is the same piece of code running on your computer—and we use that knowledge to build a trusted system,” Glynn said. “With Azure confidential computing, our customers can be confident that the people running the network have no insight into what transactions are being processed, the amounts processed, or who is involved in the transactions.”

Ambuj Kumar, CEO and founder of Fortanix, said confidential computing and the use of federated machine learning are gaining traction because these algorithms are only useful if they are fed enough data.

Kumar said banks need to know what a customer is doing at other banks in order to protect themselves from all falling victims to the same scams.

“Even with a perfect algorithm, you need to do cross-bank detection because people might use one bank for one thing so you need to cross-correlate and that is possible only when you can trust other banks with your data. That can happen only with confidential computing,” Kumar said.

“What confidential computing allows them to do is run something called privacy-preserving analytics, so you can analyze a whole bunch of retail information and commercial info.”

Fortanix works with a number of banks and financial institutions like PayPal using this technology. He noted that while money laundering and fraud may seem like secondary concerns, much of the money stolen and sent around the world goes toward more violent crime.

“It is really used for heinous crimes, so it’s not just about money. It’s about human values,” Kumar said. “Any technical breakthrough like confidential computing should be considered seriously by every single bank because it could mean that someone is not traumatized.”

Marcel Mitran, CTO of IBM LinuxONE, said banks, in general, have been worried about putting any sensitive data in the public cloud due to concerns over data-privacy and governance.

Even with the assurances offered by cloud vendors that no data will be accessed or misused, banks still have to worry about insider threats at the cloud provider, human error, or compromised privileged credentials via social engineering attacks.

The technical security assurances provided by confidential computing make it provably impossible for anyone at the cloud provider — even employees with the most elevated privileged authority — to ever access or see the bank’s data or applications, Mitran said. This provides levels of assurance required to meet the strict regulatory requirements of the financial services industry.

IBM’s work on confidential computing projects, he said, have underpinned decisions by banks like Bank of America, MUFG and BNPP’s to select the company’s cloud services. The company is also working hard on a number of different projects involving confidential computing and emerging fintech industries.

“Managing sensitive and private information is at the core of any bank’s business,” Mitran said. “Confidential computing allows banks to maintain full authority of their data and workloads to meet regulatory compliance while ensuring the security, privacy, and integrity of their clients’ banking information. As banks are being pressed to innovate faster to maintain a competitive edge, many are looking at cloud as a means to enable them to be more agile.”


by Jonathan Greig, November 25, 2020, published on TechRepublic 

Recent Posts