Every year, as much as $2 trillion of illegally obtained money floods into the financial system. Money laundering is a global problem, and banks’ efforts to tackle it can be hampered by the difficulty in sharing financial data, which is often highly sensitive and subject to privacy regulations such as GDPR.
But what if banks and other financial institutions could glean insights from each other’s data while it is still safely encrypted? That’s the promise of a technique called homomorphic encryption, which is being increasingly talked about in financial circles, and is currently the subject of a research collaboration between the Turing and HSBC.
“Homomorphic encryption is becoming a really big deal,” says Carsten Maple, Turing Fellow and Professor of Cyber Systems Engineering at the University of Warwick. “There is a lot of excitement about how this technique can allow sensitive data to be shared for the greater good.”
Safety in numbers
There are many factors that can prevent financial institutions from sharing sensitive data. As well as privacy regulations, institutions may be worried about giving commercial information to competitors, for instance, or about the data falling into criminal hands.
Homomorphic encryption – a technique which belongs to the broader family of privacy-enhancing technologies – can overcome these issues by allowing analysis to be performed on encrypted data, so that another party can make use of the data without accessing the raw information. Think of it as a magical safe. The data is put into the safe (i.e. it’s encrypted), which is then sent to whoever needs it. The receiver doesn’t have the key to the safe, but through the power of mathematics (that’s the magic), they’re able to analyse the original data without needing to see that data. What’s more, the results of the analysis are also encrypted, so only the holder of the key can unlock the results.
The term ‘homomorphic’ gives a clue as to how this technique works. From the Greek for ‘same shape’, a homomorphism is a mathematical map that changes one algebraic system to another without altering the system’s underlying structure. In the context of homomorphic encryption, the data is encrypted in such a way that its structure is preserved, meaning that mathematical operations on the encrypted data produce equivalent results to those operations on the unencrypted data.
Homomorphic encryption isn’t a new idea – it was first proposed in 1978, but the early schemes were only capable of a limited number of operation types, such as addition or multiplication. It wasn’t until 2009 that Craig Gentry, then a PhD student at Stanford University, proposed the first fully homomorphic encryption system, proving that it is theoretically possible to run any mathematical operation or computer program on the encrypted data.
One of the most promising applications for homomorphic encryption is in tackling money laundering, where criminals process money that’s been made illicitly (e.g. through drugs trafficking or bribery) so that it appears to have come from a legitimate source. Often, criminals will divide the dirty money into smaller amounts to help them avoid detection, depositing the money in different bank accounts around the world, sometimes using different identities. If banks could more effectively share information about suspicious activity, either within their organisation or with other organisations, they could more quickly pool their intelligence and identify the money launderers.
HSBC is one of the banks exploring the use of privacy-enhancing technologies such as homomorphic encryption. The Turing and HSBC this year strengthened their long-running partnership by launching three new joint projects that are looking at the potential of these technologies to enable secure data sharing. One project is carrying out an in-depth investigation of real-world, regulator-approved applications of homomorphic encryption in the finance sector (the findings will be published in a report towards the end of this year), while another project is developing a homomorphic encryption tool that’s specifically aimed at tackling financial crime.
“We are a global bank – we have offices in 63 countries and territories,” says Michael Shearer, Group Head of Compliance Product Management at HSBC. “To counter money laundering, we need to share data across geographical borders securely, and we hope that homomorphic encryption will help us to do that.”
Homomorphic encryption has plenty more potential applications in the financial world. By securely sharing and analysing data, institutions may be able to clamp down on credit card fraud (by, for example, sharing information about fraudulent activity with other banks), and better manage risks associated with loans and mortgages. Customers are also more likely to trust a bank if they can be assured that their data is being encrypted using the highest security techniques.
On the cusp
Since Gentry’s breakthrough, efforts to implement homomorphic encryption in the real world have been hindered by the technique’s slow speed. Back in 2009, using Gentry’s method to carry out a Google search on an encrypted keyword would have required a trillion times more computing power than the same search on an unencrypted keyword. But as researchers tweak the technique, the computational requirements have plummeted. Today, the fastest homomorphic encryption tools are around 1,000 times slower than using unencrypted data, but that difference will continue to drop.
“Analysing encrypted data is never going to be as quick as analysing unencrypted data,” says Maple, “but the time difference has now reduced to the point where organisations and investors are sitting up and taking notice. People are willing to sacrifice a small amount of computing time if they’re able to reap the benefits of data sharing.”
The main hurdle to getting homomorphic encryption into common usage is now regulatory rather than technological, says Maple. “We need to get the regulators and lawyers onboard with this technology so that organisations have the confidence to invest in it.” A major part of this will be the development of technical standards so that the technique is used safely and consistently – the Homomorphic Encryption Standardization project is already making progress in this direction.
It seems only a matter of time before homomorphic encryption enters the mainstream. “The need to both protect and analyse data is only going to grow,” says Shearer. “The beauty of this technique is that it allows you to do both things at once.”
Top image: NeoLeo / Shutterstock