Generative AI & The Next Great Opportunity in Privacy & Security
Uncle Sam really packs a punch when it comes to innovation.
Over the last decade, Dodd Frank’s provisions around interchange transformed Fintech as we know it, creating a $100 billion opportunity in the process. But with Fintech funding dropping at a precipitous rate in 2022, just what’s next for the category and how can Uncle Sam help?
Money2020 provided insight into what that might be with the Head of the Consumer Financial Protection Bureau asserting Open Banking (“OB”) would be enforced broadly starting as early as 2023. To skeptics, this is quite the aggressive timeline given the ten years since OB was initially introduced, with a questionable amount of progress to show for it.
However, already well into 2023, consensus is materializing around a final framework to rollout OB. And with the market showing signs of early adoption, is the US prepared for the estimated $3.6 trillion opportunity on the other side?
Open Banking 101
Less explicit regulation and more an evolving framework, Open Banking aims to give consumers control of their financial data while stimulating competition and innovation in financial services. Functionally this means that instead of a consumer’s financial data siloed to one bank, it can be shared among banks, Fintechs, and beyond — subject to a consumer’s permission.
This is important as under the status quo, big banks reign supreme over the financial sector’s data. After all, owning all consumer data makes it easier for incumbent banks to build better and more targeted consumer products than emerging Fintech competition. Ownership of this data also makes it challenging for consumers to walk away from their debit accounts and the years of financial data held at a primary bank. Once again, stifling competition in the category.
To address this, Congress established the framework for an Open Banking rollout through section 1033 of 2010’s Dodd-Frank Wall Street Reform and Consumer Protection Act. Twelve years later, OB remains in purgatory as the industry struggles with agreed upon standards for enabling OB, with everything from liability to privacy lingering as concerns.
But recent collective efforts, in part driven by efforts of The Financial Technology Association, have resulted in significant progress towards broad-scale implementation of OB. Progress underscored by cooperation among banks, Fintechs, and regulatory bodies alike indicating that OB might not be a bad thing — even for the incumbents it was meant to usurp.
The Gates Against the Barbarians
Despite an evolving framework, expedited timing, and titans like JPMorgan now routing external inquiries through APIs, concerns around data vulnerability in the open ecosystem remain. Much of this concern rests in how consumer data has been managed by Big Tech to date. After all, if a bank doesn’t own the data once it leaves its gates, who does?
This great liability question is made even more complex when considering other major constituents of an OB framework, including Fintechs and data aggregators have varying levels of infrastructure to support necessary privacy protocols, such as 0Auth 2.0. Incumbent banks argue that if all have equal access to financial data, all should be equipped to manage that data with commiserate security and privacy standards.
While early, rising to meet these deficiencies in security standards are a host of startups all solving for the highly nuanced privacy needs of data in motion and at rest. Front and center are the startups solving for the vulnerabilities data faces in three primary attack environments — at the gateways of banks, Fintechs, and data aggregators, once within these gates, and while in motion throughout the financial system.
Exhibit 1. Data Security Across Attack Environments
At the Gate: API Security
APIs act as the gateway for data transmission throughout the financial services ecosystem — be that fintech, bank, or data aggregator. In a way then, Open Banking is largely enabled by and run-on APIs with financial transactions triggering millions of API calls to operate. So important are APIs to open banking, Gartner recently issued a report establishing API security as its own essential category, highlighting its growing importance in the transformation of financial services.
As with all gates, a sophisticated security system is required to guard the assets protected within. To address these API security needs, security leaders like Salt Security and Noname Security have emerged and in many ways pioneered intelligent threat detection for APIs, enabling the next wave of financial innovation.
Even as leaders emerge, with both Noname and Salt now surpassing billion-dollar valuations, there remains a significant opportunity for competition in the field. This is supported by the fact that 40% of banks do not have API strategies in place. Adding to this market upside is that financial institutions with API strategies also expect to double the number of internal APIs by 2025.
Those that stand a chance to compete with emerging leaders will be the security solutions that are increasingly sentient, proactive, and at times, embedded at code development to address the growing cognition and intelligence of threat actors.
Within the Gate: Authorization
Adding to OB’s security complexities are the various permissions and access control considerations once data is within a gate. How can an enterprise ensure only the permissioned data is accessed and pulled? Without a formal OB protocol, screen scraping runs rampant with many data aggregators and Fintechs forced to scrape information from digital bank accounts. This means pulling raw data digitally and then ingesting, cleaning, and organizing the data. A process just as time consuming, inefficient, and expensive as it sounds.
Screen scraping is also a significant impediment to innovation in financial services given the poor quality of data output from this practice. And beyond the time and cost are the dangers to consumer privacy. Under screen scraping, a consumer effectively grants blanket access to their account, meaning there are no controls to how much information is shared — this could mean sensitive credit data being pulled without a consumer’s permission.
The complexity of the authorization opportunity is reflected in the many approaches targeting varying pain points within the gate. Antimatter, for example, manages who has access to data and where it can be sent across enterprises. Whereas Incountry streamlines internal cross border data permissions for the growing set of multinational startups and enterprises.
Authorization and permissions will be ever changing, and to accommodate for OB, sentient technology will be needed to manage data through a maze of permissions, firewalls, and organizational complexities once within an organization.
Beyond the Gate: In Transit
Of course, beyond the gates of a bank or Fintech, is data moving through the ecosystem from one gate to another. This environment is most relevant when considering the great question of liability for OB. Just who is responsible for a data hack should it be in transit?
While the question of ‘Who’ remains unanswered, the question of ‘How’ to protect this data has been met with emerging, enabling technologies. One such enabling technology is encryption. Data in transit is data in motion over a private or public network and is quite vulnerable as it is being transmitted. As a security mechanism, encryption makes the data unreadable if it falls into predatory hands. Startups such as Very Good Security have utilized this approach and are seeing traction with the likes of Brex, Fast, and Mercury.
In another approach, cryptography is utilized to tokenize identity and enable the continuous flow of data as it remains in transit. An approach pioneered by the likes of Footprint ID.
With many of these approaches still relatively nascent, the liability question remains. As these technologies advance, sentience and human cognition are imperative to protect rapidly democratized data sets facing increasingly intelligent threat actors in the open ecosystem.
The next billion-dollar security opportunity for data in transit should leverage this sentience in conjunction with enabling technology such as tokenization and encryption to meet the category where it needs it most.
To Generative AI & Beyond?
The evolving needs of each attack environment are highly nuanced. And underpinning the security requirements from the gates and beyond will be proactive detection to challenge increasingly intelligent threats. While early, to the rescue might just be the buzziest word in technology today — Generative AI.
Fundamentally, Generative AI represents the transition of machine learning and artificial intelligence from reactive to proactive sentience. In other words, under Generative AI, instead of discerning patterns from historical data sets, AI is now creating original work with the potential to transform virtually every facet of our lives. To date, much of the conversation around applications for Generative AI have centered around Gaming, Design, and Video. But creativity isn’t always manifested artistically.
In the case of financial services, Generative AI has significant potential for a host of risk prevention use cases. To date, several startups have emerged to accommodate application building across the enterprise, with many focused-on enablement across sectors and applications.
While in early days, the impact to be had from Generative AI’s ability to generate synthetic data for training models and to augment existing ML and AI models is massive. And the enhanced cognition provided from the technology for security might just be the catalyst to solving the liability and security challenges of the financial system.
Going forward, an enormous white space exists to transform security and beyond in financial services. So much so that industry leaders have noted that generative artificial intelligence (AI) for risk management was a core area of focus for 2023 and beyond.
Exhibit 2. Generative AI & Security in Financial Services
Closing
Financial services might be one of the most regulated segments in innovation today. And rightfully so, as financial data represents one of the most intimate parts of a consumer’s life. Fortunately, with regulation comes a significant opportunity for innovation to accommodate evolving rules that keep the US’ trillion-dollar financial system in check.
While Open Banking is likely still a few years away, indications of market-led acceptance are beginning to show. And enabling this wave of acceptance will be security protecting sets of data as it flows in and out of an organization, and everywhere in between. Fintech’s next billion-dollar opportunities therefore might be in the management, application, and protection of its data, facilitated by the powers of open banking, and once again, an enormous punch from Uncle Sam.
Disclaimer: views are my own and may not reflect those of SVB Capital.
