Context: Financial institutions in the digital era have gathered a vast trove of data related to their customers. Customer interactions with the bank hold the promise for better services, tailored to customers and more profitable to the institutions. EXUS, the developer of EXUS Financial Suite (EFS), is supporting EPIBANK, a financial institution, in exploiting their data in order to optimise their debt collection services. The datasets that are processed include monthly account records (e.g., bucket, past due amounts, balances, etc.), daily transaction records (e.g., payments, collector-debtor interaction-based information, interest rates, etc.), behavioural scoring variables (e.g., risk levels, collection phases, etc.), demographic variables (age, marital status, etc.), as well as product-based details (e.g., specific type of consumer loan, business loan, credit card, etc.) and occupation-based information. The aforementioned data are used for training ML algorithms for prediction (e.g., self-cured vs. defaulters; time-to-call, day-to-call, promise-to-pay, actual payment probabilities) and intelligent segmentation purposes. The AI metrics (i.e., results) as they are called in EFS, are usually used to create rules for classifying customers into several risk levels (e.g., low, medium, high-risk customers) and applying treatment plans (e.g., next-best action). These treatment plans are usually evaluated in terms of recovery rate and total communication costs. Although EXUS and EPIBANK have tried to deploy currently available PP technologies, this effort has not been fruitful due to their lack of practicality, related to deployment requirements and processing delays.

Missed Opportunities and potential negative impacts due to cybersecurity risks: Any outbound data-sharing presents the risk of exposing knowledge (e.g., the identities of customers and their characteristics) that could be misused by third parties. This has led to EPIBANK sharing part of their data with EXUS. Furthermore, sharing data may run afoul of privacy regulations such as GDPR, while introducing complexities to the necessary processes (e.g., building out new mechanisms to ensure informed consent) that outweigh the potential benefits. This typically creates delay in the initiation of new services and processes. As regards customers, they are also increasingly wary that their data could be misused by the bank, especially in case they are processed in a non-privacy-preserving way.

Infrastructure: Currently EXUS is processing anonymised EPIBANK data on data servers on its premises. For the needs of ENCRYPT, and depending on the type of PP technology that will be employed, data will be processed either at EXUS premises, at EPIBANK premises, or in the cloud. Furthermore, as EPIBANK stores data on different server sites, a federated learning approach with full homomorphic encryption will be followed for specific applications.

Expected ENCRYPT impact: Privacy enhancing techniques will allow EPIBANK and EXUS to unlock the value in sharing financial data without compromising on the privacy and confidentiality of the data subjects.