Data access controls within banks

An order last month by the UK Financial Conduct Authority (FCA) against Barclays Bank highlights the problems faced by banks and other financial services firms in controlling the access that their employees have to customer data. I have long heard complaints about this: for example, some bank employees keep telling me that as soon as their bonus is paid to them, other employees with access to the core banking software can find out the exact quantum of this bonus.

Now we have confirmation that when one of the largest banks in the world wants to limit who can see the information about a customer, the best they can do is to go back to paper hard copies stored in a vault.

The FCA order refers to a £1.88 billion transaction that Barclays was doing for a group of ultra-high net worth Politically Exposed Persons (PEPs) who wanted a very high degree of confidentiality:

Prior to Barclays arranging the Transaction, Barclays agreed to enter into the Confidentiality Agreement which sought to keep knowledge of the Clients’ identity restricted to a very limited number of people within Barclays and its advisers. In the event that Barclays breached these confidentiality obligations, it would be required to indemnify the Clients up to £37.7 million. The terms of the Confidentiality Agreement were onerous and were considered by Barclays to be an unprecedented concession for clients who wished to preserve their confidentiality. (Para 4.11)

In view of these confidentiality requirements, Barclays determined that details of the Clients and the Transaction should not be kept on its computer systems. (Para 4.12)

Barclays decided to omit the names of the Clients from its internal electronic systems in order to comply with the terms of the Confidentiality Agreement. As a result, automated checks that would typically have been carried out against the Clients’ names were not undertaken. Such checks would have included regular overnight screenings of client names against sanctions and court order lists. If, for example, the Clients had become the subjects of law enforcement proceedings in any jurisdiction, Barclays could have been unaware of such a development. No adequate alternative manual process for carrying out such checks was established by Barclays. (Para 4.49)

Some documents relating to the Business Relationship were held by Barclays in hard copy in a safe purchased specifically for storing information relating to the Business Relationship. This was Barclays’ alternative to storing the records electronically. While there is nothing inherently wrong with keeping documents in hard copy, they must be easily identifiable and retrievable. However, few people within Barclays knew of the existence and location of the safe. (Para 4.52)

I am sure that 130,000 clients of HSBC Private Bank in Switzerland (now accused of evading taxes in their home countries) wish that their data too was kept in paper form in a vault beyond the reach of Falciani’s hacking skills.

More seriously, banks need to rethink the way they maintain customer confidentiality. With anywhere banking, far too many employees have access to the complete data of every customer. A lot of progress can be made with some very simple access control principles:

Every access to customer information must be logged to provide a detailed audit trail of who, when, what and why. Ideally, the customer should have access to a suitably anonymously form of these logs.
Every access must require justification in terms of a specific task falling within the accessor's job profile.
Every access request should only result in the minimal information required to complete the task for which the access is requested.

For example, a customer comes to a branch (assuming such archaic things still exist) for a cash withdrawal. The cashier requests access by providing details of the requested withdrawal; and the system accepts the request because it is part of the cashier's job to process these withdrawals (Principle #2). The system responds with only a yes or a no: either the customer has sufficient balance to allow this withdrawal or not. The actual balance is not provided to the cashier (Principle #3). It should be emphasized that without Principle #1 and #2, the cashier could make repeated queries with different hypothetical withdrawal amounts and guess the true balance within a relatively small range using what computer scientists would recognize as a binary search method.

In my view, access controls are easy to implement if banks decide to prioritize (or regulators decide to enforce) customer confidentiality. However access controls have their limits and cryptographic tools are indispensable to achieve more complex objectives. Banks need to promote further research into these tools in order to make them usable for their needs:

To deal with Falciani risk, the entire customer data must be encrypted even inside the core banking software. The Snowden episode demonstrates that even system administrators must not have access to all information. Banks need to think very carefully about database level and column level encryption of the core banking data. Of course, banks need to worry about application security of their core banking systems: one publicly released security report of three different popular core banking software products revealed poor applications security to the point of causing an operational risk to the banks concerned.
The problem that Barclays had of running automated tests against sanctions and court order lists while keeping the customer identity confidential can be solved using a more sophisticated cryptographic tool – homomorphic encryption. Homomorphic encryption is a form of encryption which allows computations to be performed on data without first decrypting it. For example, suppose two numbers a and b have been encrypted into cypher texts x and y, and it is desired to compute a+b. Homomorphic encryption would perform some computations on x and y and produce a result z such that decrypting z yields a+b. The person who is performing the computation knows that she is adding two numbers, but does not know which numbers are being added. Moreover, she does not know what was the sum; she obtains only an encrypted version of the sum. Only the person with the encryption key or password can determine the sum by decrypting z.

Some special cases of homomorphic encryption are reasonably efficient, but fully homomorphic encryption is currently impractical. Banks need to think creatively about how to use partially homomorphic cryptosystems to achieve their goals efficiently. Simple transactions like deposits and withdrawals involve only addition (and subtraction) which are more amenable to homomorphic encryption than more complex computations.
It is desirable to allow compliance staff to verify that adequate documentation exists without being privy to the confidential information. Another advanced cryptographic tool comes to our rescue – zero-knowledge proof. Suppose the relationship staff who know the client are trying to satisfy the compliance staff that they have obtained the requisite documentation from the client, but the compliance staff are not allowed to see the documents themselves to protect the confidentiality of the customer. A zero-knowledge proof is a technique which must satisfy three properties:
- If the documentation actually exists, the compliance staff will be convinced of this fact by the “proofs” provided by the relationship staff.
- If the documentation is missing, it is almost certain that the relationship staff would fail to convince the compliance staff that it exists.
- If the documentation actually exists, then the “proof” of its existence (provided by the relationship staff) will not allow the compliance staff to learn anything about the documentation other than that it exists.
The core procedure of a zero-knowledge proof is interactive: it consists of a series of challenges by the compliance staff and a series of responses by the relationship staff which are so designed that it is very difficult to provide fake responses to fool the challenger. At the same time, each challenge and response is designed not to reveal anything about the content of the document, and the responses to different challenges cannot be put together to learn anything either.

The regulatory regime needs to be redesigned from the ground up to exploit zero-knowledge proofs. The effort involved is non trivial, but the benefits are well worth the effort.

I think the time has come for consumers and regulators to start demanding that banks pay greater attention to customer confidentiality. Actually, there is a similar problem in regulatory and self-regulatory organizations. For example, the surveillance staff in a stock exchange (and in the capital market regulator) have access to too much information and there is immense scope for abuse of this information. Mathematics (in the form of cryptography) gives us the tools required to solve many of these problems; we just need the will to use these tools.

Posted at 5:04 pm IST on Sun, 20 Dec 2015 permanent link

Categories: banks, technology

Comments