Reimagining Entitlements Control in Banking Through Privacy by Design

Banks are tasked with protecting customer data at all levels in a world that is becoming increasingly digital. Ramakant Mohapatra, director of privacy & data protection at EdgeVerve Systems Limited and N. Narasimha Prasad, senior director of product management and strategy at Finacle, share how the privacy by design (PbD) approach is key to managing data effectively and ensuring data privacy.

Data privacy regulations are coming into force across geographies. Thus far, nearly 137 out of 194 countries have enacted data privacy laws for business and society. It is imperative for every organization and individual to understand the objectives of these laws, their applicability, and ways of embedding them into business and individual lifecycles involving personal data. This can only be realized through the Privacy by Design (PbD) approach, which is independent of any country-specific privacy regulations and with minimal scope of local tailoring.

In the context of banking, at the onset, it may appear a daunting challenge to realize PbD principles across the bank’s application landscape with privacy technologies as system enablers. Adopting a structured and progressive approach would help achieve the desired result. The International Association of Privacy Professionals (IAPP) publication suggests a model that outlines two strategies to be adopted. One is the process strategy – enforce, demonstrate, inform, and control. The other is the data strategy – separate, minimize, hide, and abstract. This article describes one of the entitlement approaches used in banking, which addresses many of the needs required for strategies around separating, hiding, and minimizing.

Abstract Privacy Model

The abstract privacy model consists of two types of actors: threat actors who violate an individual’s privacy and those whose privacy might be violated. Any party who interacts with an individual or their information represents a potential threat. In the context of banking, “customer” can be mapped to “individuals or subject” and “bank staff” to “domain/threat actors.” Hence as per FAIR risk analysis, there is a potential for privacy violation by “bank staff” (domain actor) for “bank customer” (Individual) information.

Understanding Entitlement Controls

One of the well-known techniques for minimizing risks is through “controls.” In the context of banking and bank staff as threat actors, it can be referred to as “entitlement controls.” At an abstract level, entitlement should answer the question, “Is this permitted?”. While banks have a well-defined entitlement schematic based on the ‘role matrix’ and ‘need to know’ philosophy, but it does not suffice adequate and sufficient for PbD. However, the good news is there are multiple mechanisms that can be enforced in the context of PbD. One of them is presented here.

The question “is this permitted” can be looked at various depths as described below.

Data Level Control and Its Gradations

Banks usually have well-defined entitlement controls up to and including level 3. These existing controls are subject-agnostic and not sufficient in the context of PbD. Hence banks need to design Level 4 controls. At the abstract level, these controls translate to the entitlement to act upon a given record, sub-class of information and attributes belonging to the given subject for the given domain actor and well-stated, legitimate purpose with fair means. This serves multiple PbD data strategies and can be termed as “product-persona-purpose” based controls in design of product schematic. The subject’s data level control can be designed in the following grades.

See More: The Importance of Data Science for Decarbonization Rates in Finance

Grade 1: Domain entity level

Domain entities are the foundation on which transactions and operations are conducted. Examples include accounts, customers, bank staff, corporate users. There should be ways to specify access control of the domain entity records owned by the subject. For example, one bank staff cannot access (view, operate, delete or transfer) another peer bank staffs accounts. Only nominated bank staff can access and operate high net-worth individual accounts based on the customer’s risk profile and standing instructions.

Grade 2: Sub-class info of domain entity

Each domain entity has logical grouping or sub-class of information, and not all that information needs to be accessed for all the operations. Irrespective of the physical separation in the data store of such information, there needs to be a logical separation, and hence controls must be implemented for the given legitimate purpose. For instance, any banking account has multiple logical sets of information on contact, balance amount, transactions, nominee, joint account, Lien information, clearing information etc.

Having the permission to access a given banking account doesn’t mean that the access is allowed for all its sub-entity information, but it should depend on the purpose and actor. For example, the bank staff facilitating payment need not have access to the nominee or transaction history. Likewise, those processing address change of the subject need not have access to balance details.

Grade 3: Attributes of the subject’s record

In certain instances, an actor is given access to entity level and entity sub-level, where access may not be required for all attributes. Controls are required here. For example, bank staff working on service requests related to transaction history have access to the banking account (entity) and transaction history (entity sub-level) they need not access all attributes of the transaction history like running balance.

The process or operation can be facilitated in certain instances without needing to access the subject’s identification data. Controls must be in place to hide such details. For example, to approve a loan, the approving officer needs to know the income, expenditure, history of loan repayments, industry segment, loan amount, duration etc. but need not know the applicant’s name, national id or address etc.

In combination, entity level, entity sub-level and attribute-level access to the given actor for the stated legitimate purpose work powerfully to manage the PbD data strategy aspects of separate, minimize and hide.

Keeping Up with Data Privacy Regulations

As described earlier, entitlement implementations are instrumental in achieving the PbD. While banks may have sophisticated entitlement controls across the application, functions, and context, these need to expand to the adequate data level to make sure that only authorized domain actors can process the data of subjects for the well-stated, legitimate purpose of keeping data privacy context and alignments and being held accountable for the actions.

Importantly, such controls must be cohesive, binding, harmonized, and well-integrated into their applications through technical controls and measures to be truly impactful as data privacy regulations evolve.

This article was previously published in Spiceworks.

Top 11 banking trends 2023: Recomposing banking

The banking industry has been undergoing a significant shift over the past few years. The tides of change bring with it new ways of doing business, reflective of the growing need for banks across the world to reimagine their business models, customer engagement, operations, and transformation approaches.

Here are insights on the 11 most talked-about banking trends for both retail and corporate banking businesses, with a mix of technology and business themes, that highlight the tech-rich and collaborative future of banking.

Recomposing Business Model – Looking to the Future

To keep pace with change so their organizations remain relevant, undisrupted, and ahead of competitors, banks need to recompose their legacy business models and technology landscape and lead with transformation initiatives that enable them to fight for a share of “new-age banking”, conducted as digital-first, embedded finance, marketplace banking, BaaS, among others.

Reimaging Customer Engagement – Leveraging a Holistic Model

With new ways of doing banking – delivering personalized omnichannel customer journeys isn’t an easy ask. Banks need a holistic model that will empower them to offer tailored customer journeys across channels, applications, and devices.

Recomposing Operations

To compete with the new age competitors that run digital-first operations, banks need to take a dual approach to manage costs and strengthen foundations to accelerate growth.

Re-envisioning Security – Leveraging ESG to Secure Enterprises

It’s important for banks to track their evolution as well as specific security threats and vulnerabilities, and take corrective measures based on what is uncovered, especially as they work on defending against adverse actors who have, at their disposal, all the latest technologies and tools.

Reconceiving Money – Digital is the New Paper

Touted with the potential of ushering in new orders in financial inclusion, faster and cheaper payments, the digital currency landscape has expanded over the years. Banks must now capitalize on the implications of digital currencies in 2023 and take advantage of this trend going forward.

Composable Architecture – Preparing for the Future

With banks moving away from monolithic systems towards componentized and open architecture, composable solution design is the way forward. It enables coherence and coexistence of a heterogeneous application landscape while delivering the much-needed agility, flexibility, and resilience to meet the requirements of the new reality.

Banking Big on Cloud – To Scale Digital Success

A few years ago, cloud conversations in banking circled around adoption challenges related to security, compliance, or skilling issues. Today, it is no longer just a technology lever of efficiency, resilience, and scale but a catalyst of ecosystem innovation, time-to-market, and business value creation. Going forward, banks should strategize how to unlock the value of cloud to scale their digital success in 2023 and beyond.

Composing with APIs and Events – The Big Opportunity

Embedded finance is that rare opportunity that creates wins all around – for customers, who can avail banking services seamlessly to consummate any transaction without making an extra effort; for merchants and brands, who can attract customers; and for banks who can expand their business by embedding their services within other consumption journeys. Powered by the growing maturity of Banking as a Service (BaaS) offerings, the embedded finance is a big opportunity for this decade. In 2023, banks should strategize on how to take advantage of this big opportunity.

Harnessing the Power of AI – Trending use cases and innovations

As analytics and AI technologies mature, they offer unprecedented opportunities to automate processes, elevate customer experiences and manage risks. AI implementation in banking, trending innovations, and what all this means for the future of banking in 2023 and beyond.

Immersive Experiences – Banking in the Metaverse

Virtual experiences are increasingly becoming commonplace for consumers. Capitalizing on the various accessibility components of virtual banking can help banks unlock significant potential for growth. There is a marked potential for innovative growth in 2023 for the banking sector in this space.

ESG-led banking comes of age

There are two levels of ESG impact that banks are well-placed to create today. The first is in the implementation of ESG standards and goals within the bank itself. And the second is how the bank’s ESG consciousness is reflected in its policies, especially around lending, incentivizing borrowers to be more ESG-focused and widening the bank’s sphere of impact. In 2023, banks should look to create a positive ESG impact directly and indirectly, through their larger sphere of influence.

Are we making payments faster at the cost of safety?

UPI (Unified Payment Interface) was launched on 11th April 2016 and in the last two years it has been the most preferred mode for sending and receiving money. As per NPCI (National Payments Corporation of India), UPI reached 7.3 billion transactions this October 2022, surely this implies the phenomenal growth of UPI in India. RBI’s digital payment index indicates the extent of digitization of payments across country, it has risen from 207.94 in March 2020 to 349.30 in March 2022.

The extent of this payment revolution is so much that users have stopped carrying wallet/cash with them, by simply relying on UPI transactions. Moreover, it has resolved the most common issue of cash transaction i.e., ‘not having change’. Even after achieving this level of digitalization in payment space, NPCI continues to add more cherries on the cake. Recently, they launched 3 more products-

While above seems very fancy and cool, the question we need to ask ourselves is the need of it? Do we still require payment to be faster? Indian payment system has already achieved a significant level of digitization through NEFT, RTGS, IMPS and UPI. While this has become boon to many (mostly digital savvy people), but a curse to others especially those who are negligent, unaware of this sophisticated technology.

More number of fraudsters have become active these days that in general all banks including RBI have launched campaigns to spread awareness on digital payments to be vigilant. Fraudsters are using fake QR codes to trick innocent people and perform online scams. Vishing (Voice Phishing) is another common way by online scamsters to dupe. This has generated distrust of many in digital payments, and all its features like speed, operability and convenience are conceived like “known devil is better than unknown angel”.

As per Government’s cybercrime departments data, at least 61100 complaints of digital payments fraud were registered by government in May 2022 (reported by Times of India). Interestingly, more than 50% of these complains where frauds related to UPI. RBI/ banks are leaving no stone unturned in spreading awareness of the same. What’s alarming is the acceptance of such fraud. After the scam is done, victim has no means to track and recover his money. Though banking has become technologically advanced, but we are yet to solve this biggest safety concern of online payments. Looking at the magnitude of its usage, it will become major concern in coming days.

Though we have all sorts of fraud detection and alert systems, somewhere we have failed in building the trust for online payments that they are safe and secure. Can we change our approach to ‘finding a cure’ rather than ‘preventing it’ only?

We require faster payments but not at the cost of safety and security. Its high time that R&D in payment space should focus more on how to make payments more safe and secure. Also, in case of default, how it can be backtracked.

While the new-age fintech start-ups are focusing more on providing users on demand one-click banking service, Finacle as a banking backbone has all kind of resources, data, system integrations to solution the aforementioned.