Print this article
Handling HNW Clients' Data Via Tokenization – An Overview
Tom Burroughes
15 December 2023
How wealth managers and other firms transmit client data and stay on the right side of data protection laws remains a hot topic. And at issue is whether technology can surmount challenges caused by rules – or create potential problems. Under the European Union’s General Data Protection Regulation, aka GDPR, (adopted in the UK as the law emerged prior to Brexit) it imposed significant obligations on firms, nonprofits and other entities on the personal data they hold, with fines for those who broke the law. (One of the perhaps unintended side-effects of GDPR is that it potentially clashes with calls for public registers of beneficial ownership.) A few weeks ago, the UK government unveiled a UK-US data “bridge,” which took effect from 12 October – granting UK firms the freedom to send personal data to certified US organisations. In the summer, meanwhile, the European Commission ruled that its “privacy shield” pact with the US could continue as the US had adequate protections in place. One way for firms to consider handling data transfers is to make it anonymous, or pseudonymous – partly hiding a person’s real identity, or completely removing any references to a specific person in a way that can identify him or her. The EU General Court has overruled the European Data Protection Supervisor and held that pseudonymised data will not be personal data for the purposes of EU data protection law when transferred to a recipient that is unable to link the pseudonyms to identifiable individuals. According to Dechert, the law firm (12 May), this was a "pragmatic approach that provides greater certainty for businesses that routinely use pseudonymisation, but risks undermining protections for individuals."
Transferring data across national borders is meat and drink to wealth managers, private banks, family offices and other organisations looking after HNW clients. As a result, tech “fixes” that make it easier to stay on the right side of laws are appealing. At issue, however, is how robust these are.
, a US-headquartered data protection business operating in a number of countries, uses data tokenization. This, according to the firm’s website, “protects sensitive data by substituting it with a randomly generated surrogate value known as a token.”
There are two types of data tokenization: vault and vaultless. Vault data tokenization stores information about tokenized data in a database, while vaultless generates tokens with algorithms to prevent easy access.
This approach is winning wealth management clients, Alasdair Anderson, vice president at Protegrity, told this news service in a recent call. Anderson is based in Amsterdam and has worked at the firm since 2020. He is responsible for the financial services vertical at that firm.
“What we would compare ourselves to is encryption,” Anderson said.
The challenge with encryption, Anderson said, is that encryption removes all utility and value from data.
“To use encrypted data the first thing you have to do is decrypt, removing the protection. Our solution allows for almost all data operations to be performed on protected data eliminating operational risk from data access,” he continued. “The solution we provide to the banking world is to protect data and maintain its utility and enhance how it is used.”
At a time when financial centres are changing and face new regulations and challenges, data transfer must be handled responsibly, Anderson said.
Pseudonyms or anonymous?
A key issue is how the status of personal data can be changed, and this is where the terms pseudonymised data and anonymised data arise.
With anonymisation, technology masks or removes identities, and that is forever. Pseudonymisation replaces personal identifiers replaced with artificial identifiers.
At issue is whether a person could re-identify the pseudonymised data with the addition of other information such as their client code, for example. If there is a risk it can be, then the data still falls under GDPR. There are also, possibly, risks that eventually the pseudonymised data could be hacked and penetrated.
Risks
There are potential risks, according to Sorcha Lorimer, founder of data protection consultancy . In a recent article for this publication, she wrote: “A range of risks will be apparent to anyone who has really thought about the volume and sensitivity of data a wealth manager holds on each and every client. Yet there is one huge risk which I suspect is almost a total blind spot for the industry – namely that both wealth managers and the tech companies serving them are very often misunderstanding foundational legal definitions when it comes to pseudonymisation and anonymity, and in the worst case could be unwittingly breaking the law.
“Things are progressing rapidly in this area of course and there are certainly high-tech methodologies coming on line. However, the fact remains that true anonymity is actually very difficult to achieve – so that it is impossible in practicable terms to identify an individual. What many in the data industry will call ‘anonymous’ is actually only pseudonymised or de-identified. The difference is crucial: truly anonymised data is not subject to GDPR whereas anything falling short of this bar absolutely is.
“With anonymisation, masking or deletion is used and it’s irreversible. Pseudonymisation, meanwhile, sees personal identifiers replaced with artificial identifiers (such as client codes) and the information necessary to re-identify the data kept separately. One example of pseudonymisation is tokenization – although, perhaps inevitably, such solutions are very often shopped around as offering true anonymisation in the GDPR sense,” Lorimer wrote.
A lawyer who focuses on data privacy issues told this news service that the basic challenge remains governments’ disregard for the data privacy of their own electorates. Until this situation is resolved, technology workarounds aren’t relevant, this person said.
Locked down unless otherwise stated
Protegrity’s Anderson argues that his firm’s approach is based on the idea that data is locked down and protected unless there is a clear reason for an exception. This contrasts with the idea that all data should be in the open unless there’s a specific reason to keep it secret and classify access.
“Once you are inside you should only see what your job needs…This approach does address some of the complacency that has built up,” he said. “The only people who need to know a first name and last name are those who are right in front of a customer at that space, at that time.”
“We are definitely providing a solution and have been deployed in this space multiple times. We are `detoxifying the data’,” Anderson said.
These data transfer issues are particularly acute for banking and finance, as operations tend to be more complex than in other major business sectors, he added.