With the accelerating pace of innovation and the multitude of possibilities for digital interactions, data privacy and data responsibility should not be an afterthought. What if we innovate with a data privacy-first approach as we shape the future?
Anirban Basak is the founder and CEO of FortifID and a fellow at MIT Connection Science. FortifID is a commercial implementation of Open Algorithm (OPAL), which was introduced at MIT Connection Science in the book “Trusted Data: A New Framework for Identity and Data.”
I spoke with Basak to gain insights on personal data privacy, responsibility and forward-thinking technology innovations from the innovation lab and his solution to preserve data privacy in the KYC/KYB process. The following is the interview, which has been edited for clarity and conciseness.
Deb Reuben: What noteworthy events in your background led you to what you’re doing
Anirban Basak: [I was] a mechanical marine engineer, I spent 10 years in the merchant navy, becoming a chief engineer. Entering the banking space after B-school, working among large institutions like JPMorgan Chase, Capital One and various stints in fintechs over two decades.
Reuben: What problems inspired the creation of FortifID?
Basak: I observed two major problems: a constant dwindling of retail financing portfolio economics and a complete disregard and disrespect for personal data. This became more prolific in the past decade, with institutions taking personal data (DOB, SSN) and doing whatever. I thought, “That’s scary. Where does this end? There’s got to be a way to solve that!”
In the past, people walked to a brick-and-mortar facility; they could see you in the flesh. Now, digital opens [you] up a world of synthetic fraud. There are scary stories about a second person using your PII and living a full life without you knowing. Personal data is big money for data providers but scary for the individual. What if there’s a synthetic version of you somewhere in the world taking loans in your name without your knowledge? How scary is that? Let’s try and solve that.
I learned of the OPAL concept, founded by Dr. Alex “Sandy” Pentland of MIT Media, and connected the dots to see it as a possible disruptive solution. We don’t live in silos; we live in an ecosystem where everyone has to play a part. It’s not just technology; philosophy and behaviors must shift for this to be possible. We created FortifID to bring together the people and organizations to solve this data problem and create a better future.
Reuben: According to the MIT Open Algorithms Project, “the Open Algorithms (OPAL) paradigm seeks to address the increasing need for individuals and organizations to share data in a privacy-preserving manner.” How would you describe the OPAL paradigm?
Basak: OPAL’s trusted data concept simply means stop sharing raw data in its attribute format; only transfer information. When lenders collect people’s PII at the application stage, they do verification, authentication and credit policy underwriting to offer a loan. They need more and more historical data about the individual to make better decisions.
New companies continually say, “We have more data about an individual, buy from us.” It seems that selling data is a good ROI. Lending companies constantly plug into these data providers. The mechanics are that you (the bank, fintech or credit union), connect to the providers. Providers transfer raw data to you. Now you hold onto someone’s personal data. With data protection regulations, the responsibility of mining and guarding this data sits with you.
Over the past few years, financial institutions have become a target for breaches and hackers. So now you, the lender, are doing your job of better decisioning. So, you buy data to avoid fines and comply with regulations. You’re doing a good job holding and mining it. But when breached or hacked, you pay punitive fines.
Combining all this together, how do you make finance portfolio economics work? There’s been a gruesome war between all the lenders cutting APRs to make products more appealing to customers, eroding front-end revenues. Organizations have come up with reward points, essentially currencies, which deplete revenues. On top of that, a constant burgeoning cost of data mining, holding, manual verification and authentication and even breach fines. Constantly evolving regulations are turning into a nightmare for banks.
On one hand, you’re losing revenue. On the other hand, you’re constantly exploding costs, revenue and expenses. If revenue is a constant war between companies, you must find a way to reduce expenses per account. If you deep dive into any loan or asset class and do an NPV per account, you see the costs of onboarding and acquisition, data cost, handling, management, technologies, etc.
It’s how the system works, transferring raw data from providers to data consumers. But if you think about it, the bank needs to confirm you are who you say you are. Yes/No. Simple. Just give me that answer. FortifID is a one-stop shop connected to all these data providers. We don’t transfer raw data; we only transfer information, helping to reduce customer friction, onboarding costs and potential punitive fines in case of breach (which seems like the new normal) [and] benefiting data providers and data consumers and raising accountability for what’s happening with PII. If someday regulators require only collecting information from legit providers, not aggregators, at some point, we will have a better ecosystem.
We are trying to create a zero-emission (of raw data) ecosystem with this platform.
Reuben: What is zero-emission in a data context?
Basak: Inspired by internal combustion engines, zero-emission means data providers will not emit raw data to data consumers; they only pass information assertions claims. An analogy would be electric cars, where energy transmission to the wheels does not require fossil fuels. In the same way, verification and authentication will happen through information claims assertions, not raw data emission from the providers to the data consumers, eliminating extra baggage of raw data transfer.
Reuben: What is the “circle of trust” concept?
Basak: Under data protection regulations, individuals have the right to accuracy and deletion. For instance, let’s say you apply for a loan, and the lender says you’re declined because your identity could not be verified. You have a right to accuracy on that. Who said you are not verified? The institution is accountable for that.
We’re going to the source of truth data collectors, such as bureaus, telecom providers, DMV systems, etc. Not the companies who aggregate and layer data from many sources. We avoid that with a trusted data network consortium, another MIT concept, in which source-of-truth data collectors are members. Others offer KYC, KYB solutions, but you are left managing multiple vendors, connections and PII data storage. We are a one-stop shop. You connect once and access multiple trusted data sources. With our trusted network consortium, we cherry-pick source-of-truth providers. When accessing insights, our platform maintains identifiers for secure data lineage supporting your audits, disputes and algorithm update processes. You gain insight while reducing vendor management and data storage costs and reducing PII protection obligations and exposure for individuals’ PII in case of a breach.
Reuben: What do you see for the future of data privacy?
Basak: As an analogy, it took a while for the world to realize mental health matters. People started speaking; organizations took notice. Now corporations are ensuring people’s mental health matters.
I envision an ecosystem where data providers, data consumers and individuals care about personal data. Individuals know their rights under data protection regulations (GDPR, CCPA, CPRA, etc.) and make their voices heard that this issue matters. Data providers and consumers will start to join this revolution. It can’t be just us; we have to do this together so the ecosystem becomes better.
FortifID is [doing] a case study in a business school in California. I asked their students, “Does privacy matter to you?” Many said, “No. Who cares if somebody has my information?” Then I put it into context. When you go to the liquor store, you must prove your age. What did you do to prove your age? Show your driver’s license. They needed information. Is age greater than 21? But do you realize you showed an unknown person your name, your date of birth, your address. That’s an example of raw data vs. information only.
If we educate the new generation about this, they will be proactive, making this a behavior, leading to transformation.
Anirban Basak is founder and CEO of FortifID and fellow at MIT Connection Science. He holds degrees from Marine Engineering & Research Institute in India, Moore School of Business at MIT and Stanford.
Deborah Reuben, CLFP, is CEO and founder of TomorrowZone, a technology strategy consulting firm bringing forward-thinking insights and original ideas to help companies gain efficiencies and design roadmaps for the future. She holds many industry leadership positions and authored The Certified Lease & Finance Professionals’ Handbook sixth through ninth editions. Learn more at tomorrowzone.io.
No categories available
No tags available