14. Data Democratization Podcast: Privacy blindspots in banking with Amir Tabakovic, Mobey Forum

Amir Tabakovic has lots of experience in developing banking products, and as a chairman of the AI and Data Privacy Experts Group at Mobey Forum, he has a very good overview of privacy best practices and the most common mistakes in the banking industry. Listen to this episode to learn: 

  • How to develop customer-centric banking products and take them to market?
  • How can traditional banks compete with neobanks?
  • What are privacy-enhancing technologies?
  • How should banks leverage privacy tech for success?
  • Which privacy technology to choose when?
  • How to make privacy-by-design happen from an organizational point of view?
  • What is the difference between pseudonymization and anonymization?
  • What’s the problem with legacy anonymization technologies?

Amir and his team at Mobey Forum recently published a report entitled The Digital Banking Blindspot: Emerging Privacy Enhancing Technologies. Download the report if you would like to get a detailed overview of how privacy tech is changing the banking industry!

Subscribe to the Data Democratization Podcast on SpotifyApple Podcast or wherever you get your shows! Listen to the previous episode and read the transcript about the regulatory challenges of ethical AI, fairness and data anonymization with Behrang Raji!

Jeffrey Dobin: Welcome to the Data Democratization Podcast. I’m Jeffrey Dobin from Duality, along with my cohost Alexandra Ebert from MOSTLY AI. Alexandra, how’s it going?

Alexandra Ebert: Everything great, Jeff, and on your side?

Jeffrey: All good over here. Who are we meeting with today?

Alexandra: We have a great guest today on the show again. I’ll be talking to Amir Tabakovic. Amir spent over eight years as head of market development at PostFinance, a Swiss financial service provider. He’s particularly experienced in implementing digital innovations, business strategy development, distribution of digital financial services, and also data monetization. Nowadays, Amir is a business development executive. He’s also the chairman of the AI and Data Privacy Expert Group at Mobey Forum.

He’s leading the Privacy and Innovation Degree Program at the International Institute of Management and Technology in Switzerland. Really vast experience that we have here on Amir’s side.

Jeffrey: Wow. Amir has a pretty impressive resume, I might say.

Alexandra: Indeed.

Jeffrey: I know from speaking with Amir that he’s worked on this with his group and they’ve recently published a really amazing report on privacy-enhancing technologies at the Mobey Forum.

Alexandra: Absolutely. It’s called the Digital Banking Blind Spot Report. I think our listeners should definitely go check this out. There are many valuable takeaways in there as well.

Jeffrey: Let’s hear from Amir then and get started.

Alexandra: Hi, Amir. It’s really great to have you on the show today. Can you introduce yourself to our listeners and share a little bit about both your background and how you ended up in AI and data privacy?

Amir Tabakovic: Hi, Alexandra. Thanks for having me here. I am 44 years old, currently living in Switzerland. I studied economics, but always worked in technology, medical diagnostics, web technologies, Fintech, machine learning, privacy-enhancing technologies. You could say I have a sweet spot for early-stage technologies. I had my first experience with AI and privacy when I was leading a data monetization project at PostFinance 10 years ago. We were trying to predict customer future spending based on the past financial transactions and turn those predictions into lead generations for merchants.

That was a pretty bold value proposition for a bank at that time. We were moving through uncharted territory. I later joined the machine learning startup to learn more about AI only to understand that privacy remained an unsolved problem and the bottleneck for many AI projects. Now that machine learning and AI is more broadly accepted, I feel that privacy-enhancing technologies deserve my full attention.

Alexandra: One thing I would love to talk about. You are really one of those persons that live and breathe innovation, and you also spent eight years at PostFinance at head of market development. Can you share what was the most exciting project that you worked on during this time?

Amir: When I joined PostFinance, I realized that the data is an idle asset. Just think of all this transaction data that lies around and tells a story about customer behavior. It’s something like your daily journal. You get up, you purchase your first coffee on the way to work, then you take public transportation, and so on. Everything is there. This data has a huge potential to do something good to help your customer, to coach him, to, first of all, visualize this data in a way that makes this data understandable, that helps a customer to make conclusions and improve life.

That was something very interesting because this is also the internal fight within the bank between good and evil. You can use these insights to help the customer to fulfill their financial goals and focus on that. Or you can learn from this data and see how can you optimize and increase the late fees, the overdraft fees, and increase the demand for consumer credits. That’s the dark side.

Alexandra: I would definitely prefer to be a customer of the first category of banks. I’ve also seen plenty of these service offerings popping up recently that they really help coach you with your personal financial decisions. Just what comes to my mind, there were a few studies done that people in general are not the best when it comes to think about long-term implications. It would be quite wise to have some money on the side for your time in retirement. Was this also intended that this consulting or personal finance coaching could help you to achieve your savings goals or something like that?

Amir: Yes, absolutely. It was a really step-by-step approach. The idea was to become the customer’s financial coach in a way. The first step is to show to the customer what he does, what he has, then to help him define his objectives and show him how he can achieve those objectives. It’s a long journey. From a technical standpoint, it’s a complex application to build, but this would help the customer immensely because we are not built in way to always have our long-term goals in front of us.

Alexandra: Absolutely. Since you just mentioned it was a long process. What were the biggest challenges that you encountered during this project and how did you overcome those?

Amir: The biggest challenge for me personally, was to be patient enough to wait almost five years until we came up with a first solution and introduce this solution to the market. We still manage to be the first bank in the region to come up with a PFM which was fully integrated in the online banking application. Waiting for something for five years, it’s tough.

Alexandra: It takes some patience. Quick question, PFM, for our listeners who are not in the banking space, what is a PFM?

Amir: PFM is personal financial management. It stands for exactly these applications that help you on one hand to visualize your data, to automatically categorize your spending in different categories, and also to do some projections of your spending so that you get the feeling what is your financial health index.

Alexandra: Understood. Since you mentioned that really patience was key, why did it take so long in the first place? Was it access to data, bureaucracy, that you need to convince people? What were the main aspects?

Amir: All of that and much more. Access to data, absolutely. Understanding of some simple things that no customer will spend time categorizing their data themselves, but we need to build intelligence that is able to recognize what is the spending category automatically puts this spending in the right bucket. You had to do many things on your own if you wanted to proceed to make a step forward. Especially in the beginning, nobody believes that this is a good idea. There people are saying, “Just go for it, try it.” Then, eventually, the idea is getting momentum and that’s when things get very exciting.

Alexandra: Okay. Did you have some supporters within other departments? Is it important to have supporters? Or was this something that was pulled off mainly by your department of market development?

Amir: No. I had many supporters and some of those supporters became my good friends. I still have contacts with them and we have regular calls. We have to acknowledge that many things haven’t changed in the past 10 years. The same challenges are coming always in a different form, but it’s fun.

Alexandra: That’s the main point. What would you say are your top tips for our listeners who also work in the banking environment and want to innovate? What were your most valuable learnings? How to speed up a process like that, or just manage to bring something to market eventually?

Amir: Persistence. The ability to tell a great story about how this solution is going to help your customer, to believe in it. Sometimes, even if you’re not qualified in certain tasks, which is a barrier to continue, is to make your hands dirty. To learn a new skill to bridge this and continue with your innovation.

Alexandra: That’s always a good point. Can you give us a more specific example of what was this type of skill, for example, that you had to learn to make this project a success?

Amir: Well, I already mentioned there was this idea of, can we make this system recognize which category of spending it is. IT told us, “Maybe this is possible, but we have no idea how this could work. Go and figure it out yourself and then come back.” What we did at that point is, we just, built a query and tried a few things out although we were not very skilled in that. Then we found out that, just by implying, I think around hundred fixed rules, even no machine learning at all, you could guess and predict around 80% of the spendings right. That was a quick fix and we could prove that this is possible. Then things continued in the right way, then the data scientists came into play and we improved the solution.

Alexandra: That sounds good. You mentioned that even though the process took five years, you were the first that had this type of offering on the market. Now, what we hear from the industry is of course, that there is increasing pressure from all these super innovative and fast neo banks. How can large enterprises in the financial services industry keep up in this competitive landscape?

Amir: The banks are focusing on regulations. Neobanks are focusing on technology. In my opinion in this game of rock, paper, scissors, technology always beats regulation. But in a positive way. Regulation is not there just to be in the way of innovation. It’s just forces you to comply with some things which are important in our society. Technology will find a way to fulfill both requirements. On one hand, you want to provide something very exciting for our customers. On the other hand, you want to be compliant with regulatory framework.

Basically, you can have a cake and eat it too. The neobanks are much better in doing so because they are using technologies like for example, privacy-enhancing technologies. If a bank wants to keep up with that, they have to change their mindset and start thinking: How can we, and let’s take privacy as an example, how can we do privacy engineering in a way that we reach our objectives? Do something great for our customer and still protect customer’s privacy?

Alexandra: Yes. I would also agree that it really should be about reconciling regulatory requirements and technology and innovation. I’m glad that we live in an environment where it’s not either, or. But of course, I think one of the main challenges for banks is to really find the practical solutions on how to merge those two aspects. This brings me to next question. You’re also the chair of the Mobey Forum expert group on AI and privacy. You just issued a report together with your team called the Digital Banking Blind Spot. What is this report about and why should banking leaders absolutely go and download it?

Amir: A bit more than a year ago, I was discussing with some of my colleagues from Mobey Forum that privacy is getting more and more relevant for banks and digital services. We realized that this is a topic that still isn’t covered properly within the banking world. That’s the perfect starting point for getting an expert group together with different banks and also technology vendors to start discussing this topic. The purpose of this first paper was, to provide a basic understanding about the problem behind the privacy. What are the challenges and what are the solutions for the privacy problem? It’s a basic overview and the target group of this report are decision-makers. Those who see they’re struggling with problems, but are too far away from operative work to understand why the regulation is stopping them, for example.

Alexandra: You say they are not aware about the reasons why they’re having the problems that they’re facing. What is The Digital Blind Spot? Do we have to download the report to find out, or can you give us some of the high-level takeaways of what the reasons behind the problems are?

Amir: Well, I’m sure the expert group would appreciate if as many people as possible download the paper. Please do, because it has some very interesting visualizations, graphics that even if I would like to, I’m not able to describe.

Alexandra: Yes, audio format definitely makes it a little bit difficult to go through this chart but I also have seen them. I can highly recommend to the listeners to just type into Google “Mobey Forum report: The Digital Banking Blind Spot” to download the full report. Just the high-level takeaways would be great.

Amir: Exactly. Back to your question, Alexandra, why blind spot? It’s because on one hand there are plenty of processes within the bank, which are not privacy compliant, and banks are not aware of that fact. On the other hand, there are processes which are not privacy-compliant, but the banks are not capable of replacing them with the privacy-compliant ones because those processes are mission-critical for banks. I heard from many banks, “Look, I know that we are not compliant, but we can’t stop testing our solutions and we need ,for example, we are using production data. We are looking for another solution but we couldn’t find anything yet.”

Alexandra: Yes, I agree. This is also something that we hear from plenty of clients and prospects. That’s why we are now building more sophisticated testing capabilities in our synthetic data platform so that people can fulfill these requirements finally with some super realistic, production-like data.

Amir: Yes, the last point is innovation. There is this common belief that innovation and privacy are not compatible.

Alexandra: You can’t merge both.

Amir: We can’t merge both. It doesn’t work. We already mentioned this problem within our discussion that this is common belief. Now you can be innovative and privacy compliant. Let’s stop being innovative. Many banks then just kill too many good ideas because they are not aware that there are solutions that would help them to realize those innovations in a privacy compliant way.

Alexandra: Okay. What’s your belief on that? Can banks continue to say no to innovation? Or do you believe that only those who are digitally mature enough and innovative and forward-looking enough will stay on top of the game versus the others will have challenges with all the emerging neobanks and keeping the customer base? What’s your take on that?

Amir: Well, definitely, the more mature you are, the more resources you have to invest in these privacy-enhancing technologies, the better start you will get. We already see some banks that have this headstart that comes with policy. The thing is that it’s interesting that this privacy regulation led to increased competition, and privacy is becoming a competitive space for banks.

Alexandra: Yes.

Amir: That’s something that you wouldn’t expect. The banks used to see regulation as a more defensive weapon. In this case, you could look at the privacy regulation as something that could be used as an offensive weapon.

Alexandra: Yes. I absolutely can see how this is happening. We also saw it in other industries where privacy protection suddenly became the competitive edge and the reasons why today’s more educated consumers actually decide to do business with you. You mentioned that this report also covers emerging privacy-enhancing technologies as really the practical solutions on how to reconcile privacy and regulations and innovation. Can you give us an overview? What are these most promising emerging privacy-enhancing technologies?

Amir: At the moment, how these privacy enhancing technologies are, if we look at the hardware corner, we will find trusted execution environment. If you look at the software side, they are different, interesting technologies like AI-generated synthetic data.

Alexandra: I know about that one.

Amir: You should know something about that. Homomorphic encryption, federated learning, secure multi party computation. Those will be the most important ones.

Alexandra: Yes. Perfect. What would you say are the most important use cases for each one of those technologies or maybe if you can give one or two examples?

Amir: Like in the paper that we wrote before, we are focusing on analytics. Analytics is just one of the components of this entire data value chain. Analytics and exchange are two very important areas where we expect that privacy-enhancing technologies will thrive. Then the question is, which one to pick? You can say if it’s important, how you perform analytics, then you could maybe focus on something that does encrypted analytics.

If it’s a question about where the analytics is performed, then you would maybe look into the security environment, as I already mentioned, trusted execution environments. Or a decentralized approach like federated learning. Or when it’s about data, if you want to focus on data and optimization, then probably statistically representative fake data would be a very good way to go.

Alexandra: Make sense and for more details, I think now we’re at the point where listeners have to finally download the Digital Banking Blind Spot report. What would you say, what’s the current state within banking and enterprise environments? How do they handle data right now? Are they making use of these emerging privacy-enhancing technologies? Or if not, what are the major challenges in adoption of them?

Amir: Yes, they’ve being using these kinds of technologies although many of those technologies are still in the early stage. There are two approaches to that. One is experimenting with these kinds of approaches in the form of proof of concepts, pilots, and trying to provide some kind of proof that this works and can improve some processes. That’s a slower way to proceed. It’s more bottom-up approach. And then, on the other side, you have players that bet heavily on privacy-enhancing technologies, where this is one of the highest priorities.

From the technological perspective, the whole thing is top-down, many different departments are brought into the projects, working together to get the maximum out of the technologies. They are working with the vendors to improve these technologies because some solutions are still not mature and they are getting the maximum possible at the moment out of these kinds of technologies.

Alexandra: Interesting to see the different approaches in the market. There was also one recommendation from Gartner to start early on with these technologies, and really think about how to implement and how to utilize them to grow together with the vendors. I see quite good examples in the industry from banks taking the latter approach. But yes, of course, in general, what we see is more digitally mature and innovative banks really working with these technologies at the moment. Those who are not at the forefront of innovation are still being a little bit reluctant, or as you highlighted in the report, not yet aware of the issues, or the reasons for the issues that they’re facing and these emerging technologies actually being a way out of the dilemma.

Amir: I’m actually waiting for the moment where I will stumble upon someone who’s working for a privacy engineering team at a bank because often things have to be formalized in a bank. You have to put a box somewhere on the organigram of a bank to get things moving. A few years ago, you saw, for example, the first data science teams popping up. Now, this is not a novelty at all. I think time is ready for privacy engineering teams.

Alexandra: Would you say that currently in banks, there’s a clear responsibility when it comes to privacy?

Amir: Not yet. No. The topic is all over the place, in different departments. Sometimes departments like innovation, security, or legal, are involved. In other occasions, the initiative starts from business that has to solve some issues, improve some things, then sometimes it’s a very technical topic that is where for example, IT infrastructure start the initiative or a data science team that is just exploring new ways to work with data. It’s still not very structured approach.

Alexandra: It’s also not yet interdisciplinary enough from what you described in one of our earlier conversations, is it?

Amir: It’s not interdisciplinary. It’s crucial thing to get this knowledge and skills together. How can you move forward in a way that people from information security department, from legal department, from business and from technology, first of all, they all speak the same language? Then also have all the common objectives that we want to bring this company forward? That there is not one department that always breaks and other than pushes on the gas pedal, but to work together and to overcome privacy-related obstacles.

Alexandra: Yes, this reminds me actually of one of the early episodes I recorded with the head of data governance from Swisscom. He also emphasized that in today’s environment, it’s the obligations of data governance people, privacy people, not just put on the brakes and say no, but actually to collaborate and help the business side to reach the objectives and find solutions on how innovation and data privacy protection can be reconciled. Okay, having clear responsibility, and also having an interdisciplinary approach to it. What else is important for banks to really make it right?

Amir: It’s crucial for the banks to establish some common practices to deal with privacy within the processes and within the product development process. All this is going in the direction of privacy by design principles, that has to be implemented across the organization. Therefore, you need first to understand what are the requirements? What are the technologies that you have to use to achieve those principles? Then also to train all people who are involved in those processes to work together in that direction.

Alexandra: That’s a good point that you’re mentioning, training the people. We’ve talked a lot about enterprise-level data management and privacy strategies but what does this mean for the professionals working in this field, especially in financial services? You also give lectures at university, so what kind of skills are necessary in the workforce? What do you teach your students to really be able to combine innovation and privacy in practice?

Amir: There is no one skill that is crucial, it’s a combination of different skills. We are talking about an area which requires combination of different skills. It’s an interdisciplinary field where you need certain understanding of the business processes, of the privacy technologies, also of legal framework. This is everything, this goes in the direction of being a journalist in an area, and the banks, especially they prefer specialists. From my perspective, I think there is a market for generalists who are able to play well in all these different fields and to bridge the gaps between different departments, and exactly, that’s one of the purposes of this degree program that we run with the Bern University of Applied Sciences in Artificial Intelligence is to provide, first of all, competence from different areas.

We have lectures which are coming from innovation security, from legal tech side, and also business innovation, business modeling, and then to a create joint framework for privacy, and to learn people how to overcome these barriers. The fun fact is that the final thesis of this degree program is that you have to find within your organization a project that was either stopped because of privacy or is right now delayed and to find the appropriate approach to get this project back on track.

Alexandra: Okay, I assume there are plenty of projects to choose from, at least what we hear from the market, how many things are stopped. Sounds like a super valuable program. What’s the name of this degree program?

Amir: The program is called Privacy and Innovation and it tries just with two words, to describe the entire spectrum of things that we want to cover, which is a bit difficult.

Alexandra: I can imagine. One point I also wanted to cover because it’s surprising to me and as well as to you what we discussed in previous conversations. Also coming back to these blind spots, what we see quite often is that, especially on the business side, the more senior managers are not really aware of how data protection and privacy protection is implemented in their banks. Sometimes, there’s not even awareness on whether pseudonymization is enough, where it has to be anonymization. Sometimes there’s even confusion whether pseudonymization and anonymization isn’t the exact same thing that can be used interchangeably.

Can you clarify this for the business side, or for some people who are not yet aware of this? What’s the difference between pseudonymization and anonymization? Why is it important?

Amir: Right now, it’s complete chaos. When I talk to banks, I hear things like, “No, we’re good with privacy. We removed PII, so now we work with anonymous data, so we can do whatever we want. Everything’s cool.” This is completely wrong in many ways and to understand why it’s wrong, we have to understand the difference between pseudonymized and anonymized data. Pseudonymization means removing PII or Personally Identifiable Information from your data.

This means that the rest of the data is still original customer data, and as long as you link this data set with another one that contains PII or Personal Identifiable Information, you’re able to re-identify the entire data set, all the customers within. That can happen very easily and it was proven many times. If you ever want to know more, just google a bit, AOL, or Netflix and so on. Many use cases where these kind of things already happened. Anonymous data, on the other hand, means that you apply different approaches that render data in a way that you can’t reidentify it anymore. You can’t link it back to a real person.

Alexandra: I think to sum it up, maybe this is also the reason why within GDPR, pseudonymization is still considered personal data. It’s just an added security, measurement, or measure, versus anonymization is out of scope. I think here, it’s also important to highlight it’s already perfectly understood in the more digitally mature organizations, but as for some other organizations, it’s not yet that clear. Anonymization has to fulfill really high standards, and that there’s much research out there at the moment that really pinpoints that legacy anonymization techniques like masking and obfuscating fail to produce fully GDPR compliant anonymous data at the moment.

This is also the reason why so many banks are leaning towards synthetic data at the moment. Synthetic data can’t be re-identified, therefore really gets you out of GDPR’s scope. Pseudonymization is still personal data. Anonymization that fulfills GDPR requirements is out of scope and is free to use for analytics, testing, and data sharing.

Amir: Exactly, and the term legacy anonymization techniques, we can even extend it to legacy privacy-enhancing techniques. That would go in different other areas like access management, and encryption, and so on and so forth. The big issue right now with the banks and also other industries is that they are relying heavily on these legacy PETs. That’s why they have also this feeling of no urgency to do anything. They think that they are compliant, that everything is okay until something happens.

Alexandra: That’s right. Once again, go download The Blindspot Report to prevent this from happening to your bank. Maybe to bring it on a higher level, we just talked about the more technical aspects and more details. Customer trust is arguably one of the most important assets for banks. How can you create trust, or can you keep customer trust as a bank without hindering innovation?

Amir: Again, privacy by design is key. I don’t know if your listener knows that, but trust is the most valuable asset of a bank, something that was difficult to earn, you earn it over decades, if not centuries in the banking business and you can lose it very easily. Instead of hoping that you will be get lucky enough to just build something that works and that the privacy won’t get to be an issue, eventually, you should really put privacy on an agenda and actively engineer a solution that is privacy-compliant, not only today but also tomorrow. Because technology is advancing and also techniques for how to, for example, re-identify customers are involved when we’re talking about legacy anonymizations technique.

It’s always just a question of time, if your approach, a researcher will find out the way how to challenge your entire organization before approaching it. That’s why privacy by design is crucial to maintain a certain level of quality when it comes to privacy.

Alexandra: Any final words, remarks for privacy practitioners, innovators within the banking environment? Anything you want to share with them?

Amir: I can only repeat what I already said. Privacy is here to stay. If you are an innovator, if you’re someone from business, you have to learn how to manage privacy the right way. It’s not an obstacle. You can be competitive by using privacy-enhancing technologies because your customer will appreciate your efforts to protect their privacy. Better start sooner than later learning about privacy-enhancing technologies.

Alexandra: Very good final words. I completely agree that privacy can be a competitive advantage and it’s quite likely going to be a competitive advantage. Just looking into other industries where we saw this already happening. I assume expectations from customers towards the bank on privacy protection will get even higher. Therefore, it’s increasingly important to reconcile innovation and privacy. Thank you so much, Amir, it was super insightful to talk with somebody who has this vast experience not only on privacy and AI but also on the banking background, and I think this was a super valuable episode for our banking listeners. Thank you very much for taking the time.

Amir: Thank you, Alexandra, for having me.

Alexandra: It’s a pleasure. Thank you.

Jeffrey: We just heard a great overview about the state of privacy in the banking space.

Alexandra: We, for sure, did. I think Amir has a very good understanding of how privacy issues and related technologies are handled in the financial industry. Lots of good takeaways here. Let’s put them together, the most important and actionable takeaways for our listeners, shall we?

Jeffrey: Yes, let’s do it. First of all, helping customers achieve their financial goals is a long and technically challenging journey. However, it’s well worth the trouble for all parties involved, and Amir pointed out that really humans are not built for this long-term planning. They need help to make good financial decisions.

Alexandra: Definitely, you have to make it convenient. I think automating as many things as possible is the right way to go. Second, it’s important to have supporters in other departments, and across the industry, to make projects happen within the financial services industry, and also to exchange ideas and of course, knowledge.

Jeffrey: Absolutely. Number three, Amir gives us some top tips for banking innovation and also suggestions and how to speed up a process and make it to market. He talks about telling a good story, and how the solution is really going to help your customers. He says learn new skills and get hands-on with different projects you’re involved with. If IT doesn’t have the know-how, try to figure it out yourself, or at least get a proof of concept going.

Alexandra: Yes, I think that’s a valuable approach to try it out yourself and get the expertise yourself. I think it’s just the right skill and the right approach in today’s ever-changing world. Next take away. Neobanks focus on technology, traditional banks focus on regulation. According to Amir, technology always beats regulations. Plus, technology can help you comply and neobanks are already using privacy-enhancing technologies extensively to do just that.

Jeffrey: Yes, and banks need to figure out how to embrace privacy-enhancing technologies. Innovation and privacy can coexist. He talks about how banks really kill too many good ideas because they’re really not aware that there are solutions, which can make these happen in a privacy-compliant way.

Alexandra: I think this is why this report from the Mobey Forum is called The Privacy Blindspot. Next takeaway. Investing in privacy-enhancing technologies allows mature banks to innovate more. Privacy itself is also becoming a competitive space for banks.

Jeffrey: Yes, so let’s collect or talk about or highlight the most promising privacy-enhancing technologies that Amir mentioned. These are the ones that I recommend you take notes on, and if you’re not familiar with them do a bit more research. On the hardware side, he talked about trusted execution environments, and then on the software side, he brought up AI-generated synthetic data, homomorphic encryption, federated learning, and secure multi-party computation.

Alexandra: Definitely. You remember those and we highlighted it several times: the report from Mobey Forum is free to download, and there you have a great overview of all of these technologies and the use cases that are most promising for each and every one. Next take away. The two most important use cases for privacy-enhancing technologies, so-called PETs are data analytics and data exchange or data sharing. If it’s important how you do analytics, you should look to encrypted analytics.

If the location is important where analytics takes place, you should look at secure and trusted execution environments, or a decentralized approach like federated learning. If you want to concentrate on the data and on anonymization, statistically representative AI-generated synthetic data would be a good choice.

Jeffrey: Yes. Setting up privacy engineering teams would also be a good idea for banks to embrace. This privacy topic is really unstructured at the moment and responsibilities seem unclear to different teams and stakeholders. An interdisciplinary approach would be crucial to approach the privacy topic, infosec, legal, technology, and business folks should really speak the same language and have common objectives to overcome privacy-related obstacles.

Alexandra: Definitely, privacy can’t be handled only by one department. They have to work together and collaborate and communicate. Then establish common practices to deal with privacy within processes and within product development. Privacy by design principles have to be implemented across the organization, understand the requirements, and train people to be able to work in this direction.

Jeffrey: Yes, and a combination of different skills is truly necessary to make privacy by design actually happen within these organizations. Understanding of business processes, legal frameworks, and privacy technologies plays a big role in this.

Alexandra: They should do. One of the topics that’s still very frustrating to Amir when he’s talking with some people in the financial services industry: the difference between pseudonymization and anonymization is often misunderstood. Pseudonymisation doesn’t make data anonymous. Pseudonymized data is still personal data. In contrast, anonymous data cannot be re-identified. However, legacy anonymization techniques like masking or obfuscation, oftentimes fail to fulfill the very high data anonymization standards set forth by GDPR.

Banks often rely heavily on legacy privacy technologies, that in reality do not protect the data, do not protect their customers, and do not protect them from GDPR and other privacy fines.

Jeffrey: Unfortunately, some companies are finding this out the hard way. Put privacy on the agenda and engineer a future-proof privacy by design solution.

Alexandra: That I think is the most sustainable approach. The first good step in this direction is to download the digital banking client support report at mobeyforum.org. This report really is a great resource to learn about the privacy problem and its solution for decision-makers, for people who are a little bit too far away from the operational level privacy problems.

Jeffrey: Those are great takeaways, Alexandra. Thanks for this excellent interview, and thank you, Amir, for sharing your knowledge.

Alexandra: Yes, thanks a lot, Amir. It was my pleasure to talk to him today. Thank you to all of our listeners for downloading our podcasts and listening to Amir’s episode. If you have any questions, comments, or recommendations, please send us an email to podcast@mostly.ai and if you have a minute or a few seconds, just subscribe. This would be a great help for us. See you next time.