Compliance
Handling HNW Clients' Data Via Tokenization – An Overview
Banks and other players in the wealth management space transfer data across borders – a fact becoming more significant as globalisation has taken place. How information can be moved without falling foul of regulations to protect privacy is a concern. How can "tokenization" provide a solution?
How wealth managers and other firms transmit client data and stay on the right side of data protection laws remains a hot topic. And at issue is whether technology can surmount challenges caused by rules – or create potential problems.
Under the European Union’s General Data Protection Regulation,
aka GDPR, (adopted in the UK as the law emerged prior to Brexit)
it imposed significant obligations on firms, nonprofits and other
entities on the personal data they hold, with fines for those who
broke the law. (One of the perhaps unintended side-effects of
GDPR is that it potentially clashes with calls for public
registers of beneficial ownership.) A few weeks ago, the UK
government unveiled a UK-US data “bridge,” which took effect
from 12 October – granting UK firms the freedom to send
personal data to certified US organisations. In the summer,
meanwhile, the European Commission ruled that its “privacy
shield” pact with the US could continue as the US had adequate
protections in place.
Transferring data across national borders is meat and drink to
wealth managers, private banks, family offices and other
organisations looking after HNW clients. As a result, tech
“fixes” that make it easier to stay on the right side of laws are
appealing. At issue, however, is how robust these are.
One way for firms to consider handling data transfers is to make
it anonymous, or pseudonymous – partly hiding a person’s real
identity, or completely removing any references to a specific
person in a way that can identify him or her.
Protegrity, a
US-headquartered data protection business operating in a number
of countries, uses data tokenization. This, according to the
firm’s website, “protects sensitive data by substituting it with
a randomly generated surrogate value known as a token.”
There are two types of data tokenization: vault and vaultless.
Vault data tokenization stores information about tokenized data
in a database, while vaultless generates tokens with algorithms
to prevent easy access.
This approach is winning wealth management clients, Alasdair
Anderson, vice president at Protegrity, told this news service in
a recent call. Anderson is based in Amsterdam and has worked at
the firm since 2020. He is responsible for the financial services
vertical at that firm.
“What we would compare ourselves to is encryption,” Anderson
said.
The challenge with encryption, Anderson said, is that encryption
removes all utility and value from data.
“To use encrypted data the first thing you have to do is decrypt,
removing the protection. Our solution allows for almost all data
operations to be performed on protected data eliminating
operational risk from data access,” he continued. “The
solution we provide to the banking world is to protect data and
maintain its utility and enhance how it is used.”
At a time when financial centres are changing and face new
regulations and challenges, data transfer must be handled
responsibly, Anderson said.
Pseudonyms or anonymous?
A key issue is how the status of personal data can be changed,
and this is where the terms pseudonymised data and anonymised
data arise.
The EU General Court has overruled the European Data Protection
Supervisor and held that pseudonymised data will not be personal
data for the purposes of EU data protection law when transferred
to a recipient that is unable to link the pseudonyms to
identifiable individuals. According to Dechert, the law firm (12
May), this was a "pragmatic approach that provides greater
certainty for businesses that routinely use pseudonymisation, but
risks undermining protections for individuals."
With anonymisation, technology masks or removes identities, and
that is forever. Pseudonymisation replaces personal identifiers
replaced with artificial identifiers.
At issue is whether a person could re-identify the pseudonymised
data with the addition of other information such as their client
code, for example. If there is a risk it can be, then the data
still falls under GDPR. There are also, possibly, risks that
eventually the pseudonymised data could be hacked and
penetrated.
Risks
There are potential risks, according to Sorcha Lorimer, founder
of data protection consultancy Trace. In a recent
article for this publication, she wrote: “A range of risks
will be apparent to anyone who has really thought about the
volume and sensitivity of data a wealth manager holds on each and
every client. Yet there is one huge risk which I suspect is
almost a total blind spot for the industry – namely that both
wealth managers and the tech companies serving them are very
often misunderstanding foundational legal definitions when it
comes to pseudonymisation and anonymity, and in the worst case
could be unwittingly breaking the law.
“Things are progressing rapidly in this area of course and there
are certainly high-tech methodologies coming on line. However,
the fact remains that true anonymity is actually very difficult
to achieve – so that it is impossible in practicable terms to
identify an individual. What many in the data industry will call
‘anonymous’ is actually only pseudonymised or de-identified. The
difference is crucial: truly anonymised data is not subject to
GDPR whereas anything falling short of this bar absolutely
is.
“With anonymisation, masking or deletion is used and it’s
irreversible. Pseudonymisation, meanwhile, sees personal
identifiers replaced with artificial identifiers (such as client
codes) and the information necessary to re-identify the data kept
separately. One example of pseudonymisation is tokenization –
although, perhaps inevitably, such solutions are very often
shopped around as offering true anonymisation in the GDPR sense,”
Lorimer wrote.
A lawyer who focuses on data privacy issues told this news
service that the basic challenge remains
governments’ disregard for the data privacy of their own
electorates. Until this situation is resolved, technology
workarounds aren’t relevant, this person said.
Locked down unless otherwise stated
Protegrity’s Anderson argues that his firm’s approach is based
on the idea that data is locked down and protected unless
there is a clear reason for an exception. This contrasts with the
idea that all data should be in the open unless there’s a
specific reason to keep it secret and classify access.
“Once you are inside [a firm] you should only see what your job
needs…This approach does address some of the complacency that has
built up,” he said. “The only people who need to know a
first name and last name are those who are right in front of a
customer at that space, at that time.”
“We are definitely providing a solution and have been deployed in
this space multiple times. We are `detoxifying the data’,”
Anderson said.
These data transfer issues are particularly acute for banking and
finance, as operations tend to be more complex than in other
major business sectors, he added.